GPGSM accepts signatures with MD5 as digest for messages and certificate chains. It would be good to have weak-digest and allow-weak-digest handling for GpgSM similar to that of GPG.
Note: In de-vs compliance mode such messages would not be complaint.
To reproduce download this certificate:
and this message:export GNUPGHOME=$(mktemp -d) gpgsm --import CERT_PATH_ALGO_STRENGTH_01_ROOT_CA.TA.crt echo "87:0F:8B:9E:5E:DF:A7:87:D2:B9:98:7C:2A:EA:9B:D6:DD:93:2F:D0 S" > $GNUPGHOME/trustlist.txt echo "disable-crl-checks" > $GNUPGHOME/gpgsm.conf gpgparsemail --crypto CERT_PATH_ALGO_STRENGTH_01.eml
This is moved out from T3948:
Test Name | Evaluation | Expected Result | Application result |
CERT_PATH_ALGO_STRENGTH_01|ERROR|INVALID|VALID|
Checks the behaviour of the application when an insecure hash algorithm has been used in the production of the intermediate certificate's signature. This path is not valid, because the hash algorithm is insecure.
CERT_PATH_ALGO_STRENGTH_02|ERROR|INVALID|VALID
Checks the behaviour of the application when an insecure hash algorithm has been used in the production of the target certificate's signature. This path is not valid, because the hash algorithm is insecure.