gpgsm: Support ECDSA in de-vs mode.

* common/compliance.h (PK_ALGO_FLAG_ECC18): New.
* common/compliance.c (gnupg_pk_is_allowed): Implement.
* sm/decrypt.c (gpgsm_decrypt): Pass new flag.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--

GnuPG-bug-id: 6802

NEWS

@@ -32,7 +32,7 @@ Noteworthy changes in version 2.2.42 (unreleased)
   * gpg: Fix the "keytocard" command for moving ECC keys with
     non-standard ECDH parameters to OpenPGP cards.  [rG92af3f88a9]
 
-  * gpgsm: Support ECC certificates.  [T6253]
+  * gpgsm: Support ECC certificates.  [T6253, T6802]
 
   * gpgsm: Print PROGRESS status lines.  Add new --input-size-hint.
     [T6534]

common/compliance.c

@@ -261,6 +261,13 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
   if (! initialized)
     return 1;
 
+  /* Map the the generic ECC algo to ECDSA if requested.  */
+  if ((algo_flags & PK_ALGO_FLAG_ECC18)
+      && algo == GCRY_PK_ECC
+      && (use == PK_USE_VERIFICATION
+          || use == PK_USE_SIGNING))
+    algo = GCRY_PK_ECDSA;
+
   switch (compliance)
     {
     case CO_DE_VS:
@@ -285,7 +292,6 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
 	    default:
 	      log_assert (!"reached");
 	    }
-          (void)algo_flags;
 	  break;
 
 	case PUBKEY_ALGO_DSA:
@@ -306,7 +312,7 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
 	  result = (use == PK_USE_DECRYPTION);
           break;
 
-	case PUBKEY_ALGO_ECDH:
+	case PUBKEY_ALGO_ECDH:  /* Same value as GCRY_PK_ECC, i.e. 18  */
 	case GCRY_PK_ECDH:
 	  if (use == PK_USE_DECRYPTION)
             result = 1;
@@ -557,6 +563,9 @@ gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance)
   int *result;
   int res;
 
+  /* #warning debug code ahead */
+  /* return 1; */
+
   result = get_compliance_cache (compliance, 1);
 
   if (result && *result != -1)

common/compliance.h

@@ -52,6 +52,7 @@ enum pk_use_case
 
 /* Flags to distinguish public key algorithm variants.  */
 #define PK_ALGO_FLAG_RSAPSS 1    /* Use rsaPSS padding. */
+#define PK_ALGO_FLAG_ECC18  256  /* GCRY_PK_ECC is used in a generic way.  */
 
 
 int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,

sm/decrypt.c

@@ -1327,7 +1327,8 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
                   /* Check compliance.  */
                   if (!gnupg_pk_is_allowed (opt.compliance,
                                             PK_USE_DECRYPTION,
-                                            pk_algo, 0, NULL, nbits, curve))
+                                            pk_algo, PK_ALGO_FLAG_ECC18,
+                                            NULL, nbits, curve))
                     {
                       char  kidstr[10+1];
 

sm/sign.c

@@ -732,8 +732,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
           goto leave;
         }
 
-      if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0,
+      if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo,
-                                NULL, nbits, curve))
+                                PK_ALGO_FLAG_ECC18, NULL, nbits, curve))
         {
           char  kidstr[10+1];
 

sm/verify.c

@@ -503,6 +503,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
       audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo);
 
       /* Check compliance.  */
+      pkalgoflags |= PK_ALGO_FLAG_ECC18;
       if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
                                  pkalgo, pkalgoflags, NULL, nbits, pkcurve))
         {