security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-10 13:04:23 +01:00
Code Activity

gpg: Extra check for sign usage when verifying a data signature.

Browse Source 
* g10/sig-check.c (check_signature_end_simple): Check sign usage.
--

Without this patch the signature verification fails only due to the
missing back signature.  This check better explains what went wrong.

GnuPG-bug-id: 4014
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 214b0077264e35c079e854a8b6374704aea45cd5)
This commit is contained in:
Werner Koch 2018-07-04 08:59:12 +02:00
parent 04fb76684d
commit ef50fdf82a
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
g10/sig-check.c
View File

@ -479,8 +479,17 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
sig->sig_class, pk->pubkey_usage);
return rc;
}
/* Fixme: Should we also check the signing capability here for data
* signature? */
/* For data signatures check that the key has sign usage. */
if (IS_SIG (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_SIG))
{
rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE);
if (!opt.quiet)
log_info (_("bad data signature from key %s: %s (0x%02x, 0x%x)\n"),
keystr_from_pk (pk), gpg_strerror (rc),
sig->sig_class, pk->pubkey_usage);
return rc;
}
/* Make sure the digest algo is enabled (in case of a detached
* signature). */