diff options
Diffstat (limited to 'sm/verify.c')
| -rw-r--r-- | sm/verify.c | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/sm/verify.c b/sm/verify.c index 5510f42..58911bb 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -106,12 +106,17 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) int signer; const char *algoid; int algo; - int is_detached; + int is_detached, maybe_detached; estream_t in_fp = NULL; char *p; audit_set_type (ctrl->audit, AUDIT_TYPE_VERIFY); + /* Although we detect detached signatures during the parsing phase, + * we need to know it earlier and thus accept the caller's idea of + * what to verify. */ + maybe_detached = (data_fd != -1); + kh = keydb_new (); if (!kh) { @@ -132,7 +137,8 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) rc = gnupg_ksba_create_reader (&b64reader, ((ctrl->is_pem? GNUPG_KSBA_IO_PEM : 0) | (ctrl->is_base64? GNUPG_KSBA_IO_BASE64 : 0) - | (ctrl->autodetect_encoding? GNUPG_KSBA_IO_AUTODETECT : 0)), + | (ctrl->autodetect_encoding? GNUPG_KSBA_IO_AUTODETECT : 0) + | (maybe_detached? GNUPG_KSBA_IO_STRIP : 0)), in_fp, &reader); if (rc) { @@ -153,6 +159,10 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) } } + gnupg_ksba_set_progress_cb (b64writer, gpgsm_progress_cb, ctrl); + if (ctrl->input_size_hint) + gnupg_ksba_set_total (b64writer, ctrl->input_size_hint); + rc = ksba_cms_new (&cms); if (rc) goto leave; @@ -300,6 +310,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) unsigned int nbits; int pkalgo; char *pkalgostr = NULL; + char *pkcurve = NULL; char *pkfpr = NULL; unsigned int pkalgoflags, verifyflags; @@ -458,7 +469,11 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); pkalgostr = gpgsm_pubkey_algo_string (cert, NULL); - pkalgo = gpgsm_get_key_algo_info (cert, &nbits); + pkalgo = gpgsm_get_key_algo_info (cert, &nbits, &pkcurve); + /* Remap the ECC algo to the algo we use. Note that EdDSA has + * already been mapped. */ + if (pkalgo == GCRY_PK_ECC) + pkalgo = GCRY_PK_ECDSA; log_info (_("Signature made ")); if (*sigtime) @@ -488,8 +503,9 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo); /* Check compliance. */ + pkalgoflags |= PK_ALGO_FLAG_ECC18; if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, - pkalgo, pkalgoflags, NULL, nbits, NULL)) + pkalgo, pkalgoflags, NULL, nbits, pkcurve)) { char kidstr[10+1]; @@ -509,9 +525,19 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) goto next_signer; } + /* Print compliance warning for the key. */ + if (!opt.quiet + && !gnupg_pk_is_compliant (opt.compliance, pkalgo, pkalgoflags, + NULL, nbits, pkcurve)) + { + log_info (_("WARNING: This key is not suitable for signing" + " in %s mode\n"), + gnupg_compliance_option_string (opt.compliance)); + } + /* Check compliance with CO_DE_VS. */ if (gnupg_pk_is_compliant (CO_DE_VS, pkalgo, pkalgoflags, - NULL, nbits, NULL) + NULL, nbits, pkcurve) && gnupg_gcrypt_is_compliant (CO_DE_VS) && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo)) gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE, @@ -524,7 +550,6 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) gpgsm_errors_seen = 1; } - /* Now we can check the signature. */ if (msgdigest) { /* Signed attributes are available. */ @@ -705,6 +730,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) gcry_sexp_release (sigval); xfree (msgdigest); xfree (pkalgostr); + xfree (pkcurve); xfree (pkfpr); ksba_cert_release (cert); cert = NULL; |