GPGSM: Add weak digest algo handling to disable MD5 signatures
Open, WishlistPublic

Description

GPGSM accepts signatures with MD5 as digest for messages and certificate chains. It would be good to have weak-digest and allow-weak-digest handling for GpgSM similar to that of GPG.

Note: In de-vs compliance mode such messages would not be complaint.

To reproduce download this certificate:

and this message:

export GNUPGHOME=$(mktemp -d)
gpgsm --import CERT_PATH_ALGO_STRENGTH_01_ROOT_CA.TA.crt
echo "87:0F:8B:9E:5E:DF:A7:87:D2:B9:98:7C:2A:EA:9B:D6:DD:93:2F:D0 S" > $GNUPGHOME/trustlist.txt
echo "disable-crl-checks" > $GNUPGHOME/gpgsm.conf
gpgparsemail --crypto CERT_PATH_ALGO_STRENGTH_01.eml

This is moved out from T3948:

Test Name | Evaluation | Expected Result | Application result |

CERT_PATH_ALGO_STRENGTH_01|ERROR|INVALID|VALID|

Checks the behaviour of the application when an insecure hash algorithm has been used in the production of the intermediate certificate's signature. This path is not valid, because the hash algorithm is insecure.

CERT_PATH_ALGO_STRENGTH_02|ERROR|INVALID|VALID

Checks the behaviour of the application when an insecure hash algorithm has been used in the production of the target certificate's signature. This path is not valid, because the hash algorithm is insecure.

Details

Version
2.2.7-beta33