[git] GnuPG - branch, STABLE-BRANCH-2-2, updated. gnupg-2.2.5-50-g1a5d95e

by Werner Koch cvs at cvs.gnupg.org
Mon Apr 9 10:28:36 CEST 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, STABLE-BRANCH-2-2 has been updated
       via  1a5d95e7319e7e6f0dd11064a26cbbc371b05214 (commit)
      from  0336e5d1a7b9d46e06c838e6a98aecfcc9542882 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1a5d95e7319e7e6f0dd11064a26cbbc371b05214
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Apr 6 11:04:04 2018 +0200

    gpg: Check that a key may do certifications.
    
    * g10/sig-check.c (check_signature_end_simple): Check key usage for
    certifications.
    (check_signature_over_key_or_uid): Request usage certification.
    --
    
    GnuPG-bug-id: 3844
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/g10/sig-check.c b/g10/sig-check.c
index 1a90fd3..e5de025 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -464,6 +464,24 @@ check_signature_end_simple (PKT_public_key *pk, PKT_signature *sig,
           }
     }
 
+  /* For key signatures check that the key has a cert usage.  We may
+   * do this only for subkeys because the primary may always issue key
+   * signature.  The latter may not be reflected in the pubkey_usage
+   * field because we need to check the key signatures to extract the
+   * key usage.  */
+  if (!pk->flags.primary
+      && IS_CERT (sig) && !(pk->pubkey_usage & PUBKEY_USAGE_CERT))
+    {
+      rc = gpg_error (GPG_ERR_WRONG_KEY_USAGE);
+      if (!opt.quiet)
+        log_info (_("bad key signature from key %s: %s (0x%02x, 0x%x)\n"),
+                  keystr_from_pk (pk), gpg_strerror (rc),
+                  sig->sig_class, pk->pubkey_usage);
+      return rc;
+    }
+  /* Fixme: Should we also check the signing capability here for data
+   * signature?  */
+
   /* Make sure the digest algo is enabled (in case of a detached
    * signature).  */
   gcry_md_enable (digest, sig->digest_algo);
@@ -893,6 +911,9 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
                   signer_alloced = 2;
                 }
 
+              if (IS_CERT (sig))
+                signer->req_usage = PUBKEY_USAGE_CERT;
+
               rc = get_pubkey (ctrl, signer, sig->keyid);
               if (rc)
                 {

-----------------------------------------------------------------------

Summary of changes:
 g10/sig-check.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list