sm: Exclude rsaPSS from de-vs compliance mode.

* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New. * common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and test rsaPSS. Adjust all callers. (gnupg_pk_is_allowed): Ditto. * sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function. (gpgsm_get_hash_algo_from_sigval): New. * sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS. * sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to also get the algo flags. Pass algo flags along. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2020-07-03 15:47:55 +02:00 · 2020-07-03 15:47:55 +02:00 · 969abcf40c
commit 969abcf40c
parent c1663c690b
16 changed files with 175 additions and 89 deletions
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@ -871,7 +871,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
                  /* Check compliance.  */
                  if (!gnupg_pk_is_allowed (opt.compliance,
                                            PK_USE_DECRYPTION,
-                                            pk_algo, NULL, nbits, NULL))
+                                            pk_algo, 0, NULL, nbits, NULL))
                    {
                      char  kidstr[10+1];

@ -887,7 +887,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)

                  /* Check that all certs are compliant with CO_DE_VS.  */
                  is_de_vs = (is_de_vs
-                              && gnupg_pk_is_compliant (CO_DE_VS, pk_algo,
+                              && gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0,
                                                        NULL, nbits, NULL));

                oops: