sm: Exclude rsaPSS from de-vs compliance mode.

* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New. * common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and test rsaPSS. Adjust all callers. (gnupg_pk_is_allowed): Ditto. * sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function. (gpgsm_get_hash_algo_from_sigval): New. * sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS. * sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to also get the algo flags. Pass algo flags along. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2020-07-03 15:47:55 +02:00 · 2020-07-03 15:47:55 +02:00 · 969abcf40c
commit 969abcf40c
parent c1663c690b
16 changed files with 175 additions and 89 deletions
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@ -757,7 +757,8 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)

      /* Check compliance.  */
      pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
-      if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, NULL, nbits, NULL))
+      if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, 0,
+                                  NULL, nbits, NULL))
        {
          char  kidstr[10+1];

@ -772,7 +773,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
      /* Fixme: When adding ECC we need to provide the curvename and
       * the key to gnupg_pk_is_compliant.  */
      if (compliant
-          && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, NULL, nbits, NULL))
+          && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, NULL))
        compliant = 0;

      rc = encrypt_dek (dek, cl->cert, pk_algo, &encval);