Page Menu
Home
GnuPG
Search
Configure Global Search
Log In
Files
F281035
0001-gpg-Check-that-a-key-may-do-certifications.patch
werner (Werner Koch)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Authored By
•
werner
Apr 6 2018, 11:15 AM
2018-04-06 11:15:06 (UTC+2)
Size
1 KB
Subscribers
None
0001-gpg-Check-that-a-key-may-do-certifications.patch
View Options
From 63365c07441370b4d54e8a3b6f70460262054840 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 6 Apr 2018 11:04:04 +0200
Subject: [PATCH GnuPG] gpg: Check that a key may do certifications.
* g10/sig-check.c (check_signature_end_simple): Check key usage for
certifciations.
(check_signature_over_key_or_uid): Request usage certification.
--
This is just an idea and not very useful. See the code comment.
GnuPG-bug-id: 3844
Signed-off-by: Werner Koch <wk@gnupg.org>
---
g10/sig-check.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/g10/sig-check.c b/g10/sig-check.c
index 1a90fd3..9cf306d 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -464,6 +464,23 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
}
}
+ /* For key signatures check that the key has a cert usage. However,
+ * we have a catch-22 here because the key usage is stored in a key
+ * signature. So what we do here is to run the check only when we
+ * already have a key usage - not very useful. */
+ if (pk->pubkey_usage
+ && IS_CERT (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_CERT))
+ {
+ rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE);
+ if (!opt.quiet)
+ log_info (_("bad key signature from key %s: %s (0x%02x, 0x%x)\n"),
+ keystr_from_pk (pk), gpg_strerror (rc),
+ sig->sig_class, pk->pubkey_usage);
+ return rc;
+ }
+ /* Fixme: Should we also check the signing capability here for data
+ * signature? */
+
/* Make sure the digest algo is enabled (in case of a detached
* signature). */
gcry_md_enable (digest, sig->digest_algo);
@@ -893,6 +910,9 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
signer_alloced = 2;
}
+ if (IS_CERT (sig))
+ signer->req_usage = PUBKEY_USAGE_CERT;
+
rc = get_pubkey (ctrl, signer, sig->keyid);
if (rc)
{
--
2.8.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
150059
Attached To
T3844: Able to certify public keys without a certify key present when using smartcard.
Event Timeline
Log In to Comment