sm: Exclude rsaPSS from de-vs compliance mode.

* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New. * common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and test rsaPSS. Adjust all callers. (gnupg_pk_is_allowed): Ditto. * sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function. (gpgsm_get_hash_algo_from_sigval): New. * sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS. * sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to also get the algo flags. Pass algo flags along. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2020-07-03 15:47:55 +02:00 · 2020-07-03 15:47:55 +02:00 · 969abcf40c
commit 969abcf40c
parent c1663c690b
16 changed files with 175 additions and 89 deletions
--- a/common/compliance.c
+++ b/common/compliance.c
@ -96,6 +96,7 @@ gnupg_initialize_compliance (int gnupg_module_name)
 * both are compatible from the point of view of this function.  */
 int
 gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
+                       unsigned int algo_flags,
 		       gcry_mpi_t key[], unsigned int keylength,
                       const char *curvename)
 {
@ -148,6 +149,10 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
          result = (keylength == 2048
                    || keylength == 3072
                    || keylength == 4096);
+          /* rsaPSS was not part of the evaluation and thus we don't
+           * claim compliance.  */
+          if ((algo_flags & PK_ALGO_FLAG_RSAPSS))
+            result = 0;
          break;

 	case is_dsa:
@ -197,7 +202,8 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
 * they produce, and liberal in what they accept.  */
 int
 gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
-		     enum pk_use_case use, int algo, gcry_mpi_t key[],
+		     enum pk_use_case use, int algo,
+                     unsigned int algo_flags, gcry_mpi_t key[],
 		     unsigned int keylength, const char *curvename)
 {
  int result = 0;
@ -228,6 +234,10 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
 	    default:
 	      log_assert (!"reached");
 	    }
+          /* rsaPSS was not part of the evaluation and thus we don't
+           * claim compliance.  */
+          if ((algo_flags & PK_ALGO_FLAG_RSAPSS))
+            result = 0;
 	  break;

 	case PUBKEY_ALGO_DSA: