security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-03-11 22:52:47 +01:00
Code Activity

sm: Improve readability of the data verification output.

Browse Source 
* sm/verify.c (gpgsm_verify): Print the used algorithms.
--

Note that we now use the full fingerprint instead of the certificate
id.  This better aligns with what we do in gpg.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-05-08 13:42:36 +02:00
parent 9496634745
commit a759fa963a
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 66 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
sm/verify.c
View File

@ -294,6 +294,10 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
char *ctattr; char *ctattr;
int sigval_hash_algo; int sigval_hash_algo;
int info_pkalgo; int info_pkalgo;
unsigned int nbits;
int pkalgo;
char *pkalgostr = NULL;
char *pkfpr = NULL;
unsigned int verifyflags; unsigned int verifyflags;
rc = ksba_cms_get_issuer_serial (cms, signer, &issuer, &serial); rc = ksba_cms_get_issuer_serial (cms, signer, &issuer, &serial);
@ -450,13 +454,41 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
goto next_signer; goto next_signer;
} }
/* Check compliance. */ pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
{ pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
unsigned int nbits; pkalgo = gpgsm_get_key_algo_info (cert, &nbits);
int pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
/* Print infos about the signature. */
log_info (_("Signature made "));
if (*sigtime)
{
/* We take the freedom as noted in RFC3339 to use a space
* instead of the :T" delimiter between date and time.. We
* also append a separate UTC instead of a "Z" or "+00:00"
* suffix because that makes it clear to everyone what kind
* of time this is. */
dump_isotime (sigtime);
log_printf (" UTC");
}
else
log_printf (_("[date not given]"));
log_info (_(" using %s key %s\n"), pkalgostr, pkfpr);
if (opt.verbose)
{
log_info (_("algorithm:"));
log_printf (" %s + %s",
gcry_pk_algo_name (pkalgo),
gcry_md_algo_name (sigval_hash_algo));
if (algo != sigval_hash_algo)
log_printf (" (%s)", gcry_md_algo_name (algo));
log_printf ("\n");
}
audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo);
/* Check compliance. */
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
pk_algo, NULL, nbits, NULL)) pkalgo, NULL, nbits, NULL))
{ {
char kidstr[10+1]; char kidstr[10+1];
@ -477,22 +509,13 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
} }
/* Check compliance with CO_DE_VS. */ /* Check compliance with CO_DE_VS. */
if (gnupg_pk_is_compliant (CO_DE_VS, pk_algo, NULL, nbits, NULL) if (gnupg_pk_is_compliant (CO_DE_VS, pkalgo, NULL, nbits, NULL)
&& gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo)) && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo))
gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE, gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE,
gnupg_status_compliance_flag (CO_DE_VS)); gnupg_status_compliance_flag (CO_DE_VS));
}
log_info (_("Signature made "));
if (*sigtime)
dump_isotime (sigtime);
else
log_printf (_("[date not given]"));
log_printf (_(" using certificate ID 0x%08lX\n"),
gpgsm_get_short_fingerprint (cert, NULL));
audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo);
/* Now we can check the signature. */
if (msgdigest) if (msgdigest)
{ /* Signed attributes are available. */ { /* Signed attributes are available. */
gcry_md_hd_t md; gcry_md_hd_t md;
@ -595,6 +618,11 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
xfree (fpr); xfree (fpr);
/* FIXME: INFO_PKALGO correctly shows ECDSA but PKALGO is then
* ECC. We should use the ECDS here and need to find a way to
* figure this oult without using the bodus assumtion in
* gpgsm_check_cms_signature that ECC is alwas ECDSA. */
fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
tstr = strtimestamp_r (sigtime); tstr = strtimestamp_r (sigtime);
buf = xasprintf ("%s %s %s %s 0 0 %d %d 00", fpr, tstr, buf = xasprintf ("%s %s %s %s 0 0 %d %d 00", fpr, tstr,
@ -636,6 +664,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
ksba_free (p); ksba_free (p);
} }
/* Print a note if this is a qualified signature. */ /* Print a note if this is a qualified signature. */
{ {
size_t qualbuflen; size_t qualbuflen;
@ -671,6 +700,8 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
xfree (serial); xfree (serial);
xfree (sigval); xfree (sigval);
xfree (msgdigest); xfree (msgdigest);
xfree (pkalgostr);
xfree (pkfpr);
ksba_cert_release (cert); ksba_cert_release (cert);
cert = NULL; cert = NULL;
} }