database: don't be fooled by faux designated revocation signatures
This commit is contained in:
parent
4d4f22a9ef
commit
43609f3582
|
@ -2,7 +2,7 @@
|
|||
#![recursion_limit = "1024"]
|
||||
#![feature(try_from)]
|
||||
|
||||
use std::convert::{TryFrom,TryInto};
|
||||
use std::convert::TryFrom;
|
||||
use std::path::PathBuf;
|
||||
use std::str::FromStr;
|
||||
|
||||
|
@ -27,7 +27,6 @@ use tempfile::NamedTempFile;
|
|||
extern crate sequoia_openpgp as openpgp;
|
||||
use openpgp::{
|
||||
TPK,
|
||||
RevocationStatus,
|
||||
packet::UserID,
|
||||
parse::Parse,
|
||||
packet::KeyFlags,
|
||||
|
@ -45,7 +44,7 @@ mod stateful_tokens;
|
|||
pub use stateful_tokens::StatefulTokens;
|
||||
|
||||
mod openpgp_utils;
|
||||
use openpgp_utils::{tpk_filter_userids, tpk_to_string, tpk_clean};
|
||||
use openpgp_utils::{tpk_filter_userids, tpk_to_string, tpk_clean, is_status_revoked};
|
||||
|
||||
#[cfg(test)]
|
||||
mod test;
|
||||
|
@ -206,8 +205,7 @@ pub trait Database: Sync + Send {
|
|||
(new_tpk, false)
|
||||
};
|
||||
|
||||
let is_revoked = full_tpk_new.revocation_status()
|
||||
!= RevocationStatus::NotAsFarAsWeKnow;
|
||||
let is_revoked = is_status_revoked(full_tpk_new.revocation_status());
|
||||
|
||||
let is_ok = is_revoked ||
|
||||
full_tpk_new.subkeys().next().is_some() ||
|
||||
|
@ -237,7 +235,7 @@ pub trait Database: Sync + Send {
|
|||
.flat_map(|binding| {
|
||||
let uid = binding.userid();
|
||||
if let Ok(email) = Email::try_from(uid) {
|
||||
if binding.revoked(None) != RevocationStatus::NotAsFarAsWeKnow {
|
||||
if is_status_revoked(binding.revoked(None)) {
|
||||
Some((email, EmailAddressStatus::Revoked))
|
||||
} else if published_uids.contains(uid) {
|
||||
Some((email, EmailAddressStatus::Published))
|
||||
|
@ -259,7 +257,7 @@ pub trait Database: Sync + Send {
|
|||
|
||||
let revoked_uids: Vec<UserID> = full_tpk_new
|
||||
.userids()
|
||||
.filter(|binding| binding.revoked(None) != RevocationStatus::NotAsFarAsWeKnow)
|
||||
.filter(|binding| is_status_revoked(binding.revoked(None)))
|
||||
.map(|binding| binding.userid().clone())
|
||||
.collect();
|
||||
|
||||
|
@ -278,7 +276,7 @@ pub trait Database: Sync + Send {
|
|||
.filter(|email| {
|
||||
let has_unrevoked_userid = published_tpk_new
|
||||
.userids()
|
||||
.filter(|binding| binding.revoked(None) == RevocationStatus::NotAsFarAsWeKnow)
|
||||
.filter(|binding| !is_status_revoked(binding.revoked(None)))
|
||||
.map(|binding| binding.userid())
|
||||
.map(|uid| Email::try_from(uid).ok())
|
||||
.flatten()
|
||||
|
@ -337,8 +335,7 @@ pub trait Database: Sync + Send {
|
|||
.ok_or_else(|| failure::err_msg("Key not in database!"))
|
||||
.and_then(|bytes| TPK::from_bytes(bytes.as_ref()))?;
|
||||
|
||||
let is_revoked = tpk_full.revocation_status()
|
||||
!= RevocationStatus::NotAsFarAsWeKnow;
|
||||
let is_revoked = is_status_revoked(tpk_full.revocation_status());
|
||||
|
||||
let unparsed_uids = tpk_full
|
||||
.userids()
|
||||
|
@ -361,7 +358,7 @@ pub trait Database: Sync + Send {
|
|||
if let Ok(email) = Email::try_from(uid) {
|
||||
if !known_addresses.contains(&email) {
|
||||
None
|
||||
} else if binding.revoked(None) != RevocationStatus::NotAsFarAsWeKnow {
|
||||
} else if is_status_revoked(binding.revoked(None)) {
|
||||
Some((email, EmailAddressStatus::Revoked))
|
||||
} else if published_uids.contains(uid) {
|
||||
Some((email, EmailAddressStatus::Published))
|
||||
|
|
|
@ -2,11 +2,20 @@ use failure::Fallible as Result;
|
|||
|
||||
use openpgp::{
|
||||
TPK,
|
||||
RevocationStatus,
|
||||
armor::{Writer, Kind},
|
||||
packet::{UserID, Tag},
|
||||
serialize::Serialize as OpenPgpSerialize,
|
||||
};
|
||||
|
||||
pub fn is_status_revoked(status: RevocationStatus) -> bool {
|
||||
match status {
|
||||
RevocationStatus::Revoked(_) => true,
|
||||
RevocationStatus::CouldBe(_) => false,
|
||||
RevocationStatus::NotAsFarAsWeKnow => false,
|
||||
}
|
||||
}
|
||||
|
||||
pub fn tpk_to_string(tpk: &TPK) -> Result<Vec<u8>> {
|
||||
let mut buf = Vec::new();
|
||||
{
|
||||
|
|
|
@ -93,13 +93,13 @@
|
|||
</a></h3>
|
||||
|
||||
<p>
|
||||
This is a problem with current versions of GnuPG. If you are
|
||||
trying to update a key from Hagrid that includes only
|
||||
non-identity information, GnuPG will complain complain about the
|
||||
key not having a userid:
|
||||
This is a problem with current versions of GnuPG. If you attempt to
|
||||
update a key from <span class="brand">keys.openpgp.org</span> that
|
||||
contains no <a href="/about">identity information</a>, GnuPG will refuse
|
||||
to process the key:
|
||||
</p>
|
||||
<blockquote>
|
||||
$ gpg --receive-keys A2604867523C7ED8<br>
|
||||
$ gpg --receive-keys A2604867523C7ED8<br />
|
||||
gpg: key A2604867523C7ED8: no user ID
|
||||
</blockquote>
|
||||
<p>
|
||||
|
|
|
@ -46,10 +46,10 @@
|
|||
</li>
|
||||
<li>To refresh all your keys (e.g. new revocation certificates and subkeys):
|
||||
<blockquote>gpg --refresh-keys</blockquote>
|
||||
<b>Note:</b> If you see messages like the following,
|
||||
see <a href="/about/faq#older-gnupg">here</a> for notes on
|
||||
compatibility with older versions of GnuPG.
|
||||
<blockquote>gpg: key A2604867523C7ED8: no user ID</blockquote>
|
||||
<b>Note:</b> If you see errors like the following,
|
||||
see <a href="/about/faq#older-gnupg">our notes</a> on compatibility
|
||||
with older versions of GnuPG.
|
||||
<blockquote>gpg: key A2604867523C7ED8: no user ID</blockquote>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
|
@ -93,8 +93,8 @@
|
|||
<h2 style="margin-left: 3%;">API</h2>
|
||||
|
||||
<p>
|
||||
We offer an API integrated support in OpenPGP applications. Check out
|
||||
our <a href="/about/api">API documentation</a>.
|
||||
We offer an API for integrated support in OpenPGP applications. Check
|
||||
out our <a href="/about/api">API documentation</a>.
|
||||
</p>
|
||||
|
||||
<h2 style="margin-left: 3%;">Others</h2>
|
||||
|
|
Loading…
Reference in New Issue