gpg: Add option --assert-pubkey_algo.

* g10/keyid.c (parse_one_algo_string): New.
(compare_pubkey_string_part): New.
(compare_pubkey_string): New.
* g10/verify.c (check_assert_signer_list): New.
* g10/mainproc.c (check_sig_and_print): Call check_assert_pubkey_algo.
* g10/options.h (opt): Add field assert_pubkey_algos.
* g10/gpg.c (oAssertPubkeyAlgo): New.
(opts): Add "--assert-pubkey_algo".
(assert_pubkey_algo_false): New.
(main): Parse option.
(g10_exit): Reorder RC modifications.  Check assert_pubkey_algo_false.
* common/status.h (ASSERT_PUBKEY_ALGOS): new.
* common/t-support.h (LEAN_T_SUPPORT): Use a simplified version if
this macro is set.

* g10/gpgv.c (oAssertPubkeyAlgo): New.
(opts): Add "--assert-pubkey_algo".
(assert_pubkey_algo_false): New.
(main): Parse option.
(g10_exit): Check assert_pubkey_algo_false.

* g10/t-keyid.c: New.
* g10/Makefile.am: Add t-keyid.
* g10/test-stubs.c: Add assert_pubkey_algos and assert_signer_list and
remove from other tests.
(check_assert_signer_list): Ditto.
(check_assert_pubkey_algo): Ditto.
--

GnuPG-bug-id: 6946

1 files changed, 31 insertions, 2 deletions

diff --git a/g10/verify.c b/g10/verify.c
index e9792939d..1c3de767c 100644
--- a/g10/verify.c
+++ b/g10/verify.c
@@ -333,7 +333,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
               assert_signer_true = 1;
               write_status_text (STATUS_ASSERT_SIGNER, item->d);
               if (!opt.quiet)
-                log_info ("signer '%s' matched\n", item->d);
+                log_info ("asserted signer '%s'\n", item->d);
               goto leave;
             }
         }
@@ -388,7 +388,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
                   assert_signer_true = 1;
                   write_status_text (STATUS_ASSERT_SIGNER, p);
                   if (!opt.quiet)
-                    log_info ("signer '%s' matched '%s', line %d\n",
+                    log_info ("asserted signer '%s' (%s:%d)\n",
                               p, fname, lnr);
                   goto leave;
                 }
@@ -405,3 +405,32 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
  leave:
   es_fclose (fp);
 }
+
+
+/* This function shall be called with the signer's public key
+ * algorithm ALGOSTR iff a signature is fully valid.  If the option
+ * --assert-pubkey-algo is active the functions checks whether the
+ * signing key's algo is valid according to that list; in this case a
+ * global flag is set.  */
+void
+check_assert_pubkey_algo (const char *algostr, const char *pkhex)
+{
+  if (!opt.assert_pubkey_algos)
+    return;  /* Nothing to do.  */
+
+  if (compare_pubkey_string (algostr, opt.assert_pubkey_algos))
+    {
+      write_status_strings (STATUS_ASSERT_PUBKEY_ALGO,
+                            pkhex, " 1 ", algostr, NULL);
+      if (!opt.quiet)
+        log_info ("asserted signer '%s' with algo %s\n", pkhex, algostr);
+    }
+  else
+    {
+      if (!opt.quiet)
+        log_info ("denied signer '%s' with algo %s\n", pkhex, algostr);
+      assert_pubkey_algo_false = 1;
+      write_status_strings (STATUS_ASSERT_PUBKEY_ALGO,
+                            pkhex, " 0 ", algostr, NULL);
+    }
+}