diff options
author | Werner Koch <wk@gnupg.org> | 2020-05-08 13:42:36 +0200 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2020-05-08 13:42:51 +0200 |
commit | a759fa963a42e0652134130029217270b6d5d00b (patch) | |
tree | c11a3409b99465c24c624e86f780bd3a4e178ca3 /sm | |
parent | card: Allow listing of NKS cards. (diff) | |
download | gnupg2-a759fa963a42e0652134130029217270b6d5d00b.tar.xz gnupg2-a759fa963a42e0652134130029217270b6d5d00b.zip |
sm: Improve readability of the data verification output.
* sm/verify.c (gpgsm_verify): Print the used algorithms.
--
Note that we now use the full fingerprint instead of the certificate
id. This better aligns with what we do in gpg.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'sm')
-rw-r--r-- | sm/verify.c | 101 |
1 files changed, 66 insertions, 35 deletions
diff --git a/sm/verify.c b/sm/verify.c index 6d2f11055..ecc3a7c1f 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -294,6 +294,10 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) char *ctattr; int sigval_hash_algo; int info_pkalgo; + unsigned int nbits; + int pkalgo; + char *pkalgostr = NULL; + char *pkfpr = NULL; unsigned int verifyflags; rc = ksba_cms_get_issuer_serial (cms, signer, &issuer, &serial); @@ -450,49 +454,68 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) goto next_signer; } - /* Check compliance. */ - { - unsigned int nbits; - int pk_algo = gpgsm_get_key_algo_info (cert, &nbits); - - if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, - pk_algo, NULL, nbits, NULL)) - { - char kidstr[10+1]; - - snprintf (kidstr, sizeof kidstr, "0x%08lX", - gpgsm_get_short_fingerprint (cert, NULL)); - log_error (_("key %s may not be used for signing in %s mode\n"), - kidstr, - gnupg_compliance_option_string (opt.compliance)); - goto next_signer; - } - - if (! gnupg_digest_is_allowed (opt.compliance, 0, sigval_hash_algo)) - { - log_error (_("digest algorithm '%s' may not be used in %s mode\n"), - gcry_md_algo_name (sigval_hash_algo), - gnupg_compliance_option_string (opt.compliance)); - goto next_signer; - } - - /* Check compliance with CO_DE_VS. */ - if (gnupg_pk_is_compliant (CO_DE_VS, pk_algo, NULL, nbits, NULL) - && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo)) - gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE, - gnupg_status_compliance_flag (CO_DE_VS)); - } + pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); + pkalgostr = gpgsm_pubkey_algo_string (cert, NULL); + pkalgo = gpgsm_get_key_algo_info (cert, &nbits); + /* Print infos about the signature. */ log_info (_("Signature made ")); if (*sigtime) - dump_isotime (sigtime); + { + /* We take the freedom as noted in RFC3339 to use a space + * instead of the :T" delimiter between date and time.. We + * also append a separate UTC instead of a "Z" or "+00:00" + * suffix because that makes it clear to everyone what kind + * of time this is. */ + dump_isotime (sigtime); + log_printf (" UTC"); + } else log_printf (_("[date not given]")); - log_printf (_(" using certificate ID 0x%08lX\n"), - gpgsm_get_short_fingerprint (cert, NULL)); + log_info (_(" using %s key %s\n"), pkalgostr, pkfpr); + if (opt.verbose) + { + log_info (_("algorithm:")); + log_printf (" %s + %s", + gcry_pk_algo_name (pkalgo), + gcry_md_algo_name (sigval_hash_algo)); + if (algo != sigval_hash_algo) + log_printf (" (%s)", gcry_md_algo_name (algo)); + log_printf ("\n"); + } audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo); + /* Check compliance. */ + if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, + pkalgo, NULL, nbits, NULL)) + { + char kidstr[10+1]; + + snprintf (kidstr, sizeof kidstr, "0x%08lX", + gpgsm_get_short_fingerprint (cert, NULL)); + log_error (_("key %s may not be used for signing in %s mode\n"), + kidstr, + gnupg_compliance_option_string (opt.compliance)); + goto next_signer; + } + + if (! gnupg_digest_is_allowed (opt.compliance, 0, sigval_hash_algo)) + { + log_error (_("digest algorithm '%s' may not be used in %s mode\n"), + gcry_md_algo_name (sigval_hash_algo), + gnupg_compliance_option_string (opt.compliance)); + goto next_signer; + } + + /* Check compliance with CO_DE_VS. */ + if (gnupg_pk_is_compliant (CO_DE_VS, pkalgo, NULL, nbits, NULL) + && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo)) + gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE, + gnupg_status_compliance_flag (CO_DE_VS)); + + + /* Now we can check the signature. */ if (msgdigest) { /* Signed attributes are available. */ gcry_md_hd_t md; @@ -595,6 +618,11 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) xfree (fpr); + /* FIXME: INFO_PKALGO correctly shows ECDSA but PKALGO is then + * ECC. We should use the ECDS here and need to find a way to + * figure this oult without using the bodus assumtion in + * gpgsm_check_cms_signature that ECC is alwas ECDSA. */ + fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); tstr = strtimestamp_r (sigtime); buf = xasprintf ("%s %s %s %s 0 0 %d %d 00", fpr, tstr, @@ -636,6 +664,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) ksba_free (p); } + /* Print a note if this is a qualified signature. */ { size_t qualbuflen; @@ -671,6 +700,8 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) xfree (serial); xfree (sigval); xfree (msgdigest); + xfree (pkalgostr); + xfree (pkfpr); ksba_cert_release (cert); cert = NULL; } |