diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2010-06-29 10:47:18 +0300 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2010-06-29 10:47:18 +0300 |
| commit | 0e143cfe9f11abc42733d2265dc6d61cb716e5a4 (patch) | |
| tree | 216f91ba2e91c3909ddce56052c872cdfb2d5184 | |
| parent | 20cfa7d2b4c927798ad38126821d194fafd93ffe (diff) | |
| download | librpm-tizen-0e143cfe9f11abc42733d2265dc6d61cb716e5a4.tar.gz librpm-tizen-0e143cfe9f11abc42733d2265dc6d61cb716e5a4.tar.bz2 librpm-tizen-0e143cfe9f11abc42733d2265dc6d61cb716e5a4.zip | |
Add some sanity checks for generated signatures (related to RhBug:608599)
- GPG supports all sorts of algorithms NSS doesn't, do some basic tests
to verify the generated signature is something we can actually use.
| -rw-r--r-- | lib/signature.c | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/lib/signature.c b/lib/signature.c index 91450299b..ad3141e1d 100644 --- a/lib/signature.c +++ b/lib/signature.c @@ -321,6 +321,29 @@ Header rpmFreeSignature(Header sigh) return headerFree(sigh); } +/* + * NSS doesn't support everything GPG does. Basic tests to see if the + * generated signature is something we can use. + */ +static int validatePGPSig(pgpDigParams sigp) +{ + pgpHashAlgo pa = sigp->pubkey_algo; + /* TODO: query from the implementation instead of hardwiring here */ + if (pa != PGPPUBKEYALGO_DSA && pa != PGPPUBKEYALGO_RSA) { + rpmlog(RPMLOG_ERR, _("Unsupported PGP pubkey algorithm %d\n"), + sigp->pubkey_algo); + return 1; + } + + if (rpmDigestLength(sigp->hash_algo) == 0) { + rpmlog(RPMLOG_ERR, _("Unsupported PGP hash algorithm %d\n"), + sigp->hash_algo); + return 1; + } + + return 0; +} + /** * Generate GPG signature(s) for a header+payload file. * @param file header+payload file name @@ -450,8 +473,8 @@ static int makeGPGSignature(const char * file, rpmSigTag * sigTagp, break; } + rc = validatePGPSig(sigp); dig = pgpFreeDig(dig); - rc = 0; exit: (void) unlink(sigfile); |