summaryrefslogtreecommitdiffstats
path: root/g10
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2019-05-13 19:01:28 +0200
committerWerner Koch <wk@gnupg.org>2019-05-13 19:01:28 +0200
commit484d6ba5896acfa3dcf73d9536bcf5e006579b5f (patch)
tree17b3355fb87dada6f1b5ab234329c79646d30e17 /g10
parentgpg: Cleanup use of make_keysig_packet. (diff)
downloadgnupg2-484d6ba5896acfa3dcf73d9536bcf5e006579b5f.tar.xz
gnupg2-484d6ba5896acfa3dcf73d9536bcf5e006579b5f.zip
gpg: Change update_keysig_packet to replace SHA-1 by SHA-256.
* g10/sign.c (update_keysig_packet): Convert digest algo when needed. -- Several gpg commands try to keep most properties of a key signature when updating (i.e. creating a new version of a key signature). This included the use of the current hash-algorithm. This patch changes this so that SHA-1 or RMD160 are replaced by SHA-256 if possible (i.e. for RSA signatures). Affected commands are for example --quick-set-expire and --quick-set-primary-uid. GnuPG-bug-id: 4508 Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'g10')
-rw-r--r--g10/sign.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/g10/sign.c b/g10/sign.c
index 132b94101..d71580639 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -1714,8 +1714,19 @@ update_keysig_packet (ctrl_t ctrl,
|| (orig_sig->sig_class == 0x18 && !subpk))
return GPG_ERR_GENERAL;
+ /* Either use the override digest algo or in the normal case the
+ * original digest algorithm. However, iff the original digest
+ * algorithms is SHA-1 and we are in gnupg or de-vs compliance mode
+ * we switch to SHA-256 (done by the macro). */
if (opt.cert_digest_algo)
digest_algo = opt.cert_digest_algo;
+ else if (pksk->pubkey_algo == PUBKEY_ALGO_DSA
+ || pksk->pubkey_algo == PUBKEY_ALGO_ECDSA
+ || pksk->pubkey_algo == PUBKEY_ALGO_EDDSA)
+ digest_algo = orig_sig->digest_algo;
+ else if (orig_sig->digest_algo == DIGEST_ALGO_SHA1
+ || orig_sig->digest_algo == DIGEST_ALGO_RMD160)
+ digest_algo = DEFAULT_DIGEST_ALGO;
else
digest_algo = orig_sig->digest_algo;