database: don't be fooled by faux designated revocation signatures

database/src/lib.rs

@@ -2,7 +2,7 @@
 #![recursion_limit = "1024"]
 #![feature(try_from)]
 
-use std::convert::{TryFrom,TryInto};
+use std::convert::TryFrom;
 use std::path::PathBuf;
 use std::str::FromStr;
 
@@ -27,7 +27,6 @@ use tempfile::NamedTempFile;
 extern crate sequoia_openpgp as openpgp;
 use openpgp::{
     TPK,
-    RevocationStatus,
     packet::UserID,
     parse::Parse,
     packet::KeyFlags,
@@ -45,7 +44,7 @@ mod stateful_tokens;
 pub use stateful_tokens::StatefulTokens;
 
 mod openpgp_utils;
-use openpgp_utils::{tpk_filter_userids, tpk_to_string, tpk_clean};
+use openpgp_utils::{tpk_filter_userids, tpk_to_string, tpk_clean, is_status_revoked};
 
 #[cfg(test)]
 mod test;
@@ -206,8 +205,7 @@ pub trait Database: Sync + Send {
             (new_tpk, false)
         };
 
-        let is_revoked = full_tpk_new.revocation_status()
-            != RevocationStatus::NotAsFarAsWeKnow;
+        let is_revoked = is_status_revoked(full_tpk_new.revocation_status());
 
         let is_ok = is_revoked ||
             full_tpk_new.subkeys().next().is_some() ||
@@ -237,7 +235,7 @@ pub trait Database: Sync + Send {
             .flat_map(|binding| {
                 let uid = binding.userid();
                 if let Ok(email) = Email::try_from(uid) {
-                    if binding.revoked(None) != RevocationStatus::NotAsFarAsWeKnow {
+                    if is_status_revoked(binding.revoked(None)) {
                         Some((email, EmailAddressStatus::Revoked))
                     } else if published_uids.contains(uid) {
                         Some((email, EmailAddressStatus::Published))
@@ -259,7 +257,7 @@ pub trait Database: Sync + Send {
 
         let revoked_uids: Vec<UserID> = full_tpk_new
             .userids()
-            .filter(|binding| binding.revoked(None) != RevocationStatus::NotAsFarAsWeKnow)
+            .filter(|binding| is_status_revoked(binding.revoked(None)))
             .map(|binding| binding.userid().clone())
             .collect();
 
@@ -278,7 +276,7 @@ pub trait Database: Sync + Send {
             .filter(|email| {
                 let has_unrevoked_userid = published_tpk_new
                     .userids()
-                    .filter(|binding| binding.revoked(None) == RevocationStatus::NotAsFarAsWeKnow)
+                    .filter(|binding| !is_status_revoked(binding.revoked(None)))
                     .map(|binding| binding.userid())
                     .map(|uid| Email::try_from(uid).ok())
                     .flatten()
@@ -337,8 +335,7 @@ pub trait Database: Sync + Send {
             .ok_or_else(|| failure::err_msg("Key not in database!"))
             .and_then(|bytes| TPK::from_bytes(bytes.as_ref()))?;
 
-        let is_revoked = tpk_full.revocation_status()
-            != RevocationStatus::NotAsFarAsWeKnow;
+        let is_revoked = is_status_revoked(tpk_full.revocation_status());
 
         let unparsed_uids = tpk_full
             .userids()
@@ -361,7 +358,7 @@ pub trait Database: Sync + Send {
                 if let Ok(email) = Email::try_from(uid) {
                     if !known_addresses.contains(&email) {
                         None
-                    } else if binding.revoked(None) != RevocationStatus::NotAsFarAsWeKnow {
+                    } else if is_status_revoked(binding.revoked(None)) {
                         Some((email, EmailAddressStatus::Revoked))
                     } else if published_uids.contains(uid) {
                         Some((email, EmailAddressStatus::Published))

database/src/openpgp_utils.rs

@@ -2,11 +2,20 @@ use failure::Fallible as Result;
 
 use openpgp::{
     TPK,
+    RevocationStatus,
     armor::{Writer, Kind},
     packet::{UserID, Tag},
     serialize::Serialize as OpenPgpSerialize,
 };
 
+pub fn is_status_revoked(status: RevocationStatus) -> bool {
+    match status {
+        RevocationStatus::Revoked(_) => true,
+        RevocationStatus::CouldBe(_) => false,
+        RevocationStatus::NotAsFarAsWeKnow => false,
+    }
+}
+
 pub fn tpk_to_string(tpk: &TPK) -> Result<Vec<u8>> {
     let mut buf = Vec::new();
     {

dist/templates/about/faq.html.hbs

@@ -93,13 +93,13 @@
     </a></h3>
 
     <p>
-      This is a problem with current versions of GnuPG.  If you are
-      trying to update a key from Hagrid that includes only
-      non-identity information, GnuPG will complain complain about the
-      key not having a userid:
+      This is a problem with current versions of GnuPG.  If you attempt to
+      update a key from <span class="brand">keys.openpgp.org</span> that
+      contains no <a href="/about">identity information</a>, GnuPG will refuse
+      to process the key:
     </p>
     <blockquote>
-      $ gpg --receive-keys A2604867523C7ED8<br>
+      $ gpg --receive-keys A2604867523C7ED8<br />
       gpg: key A2604867523C7ED8: no user ID
     </blockquote>
     <p>

dist/templates/about/usage.html.hbs

@@ -46,10 +46,10 @@
         </li>
         <li>To refresh all your keys (e.g. new revocation certificates and subkeys):
             <blockquote>gpg --refresh-keys</blockquote>
-	    <b>Note:</b> If you see messages like the following,
-	    see <a href="/about/faq#older-gnupg">here</a> for notes on
-	    compatibility with older versions of GnuPG.
-	    <blockquote>gpg: key A2604867523C7ED8: no user ID</blockquote>
+            <b>Note:</b> If you see errors like the following,
+            see <a href="/about/faq#older-gnupg">our notes</a> on compatibility
+            with older versions of GnuPG.
+            <blockquote>gpg: key A2604867523C7ED8: no user ID</blockquote>
         </li>
     </ul>
 
@@ -93,8 +93,8 @@
     <h2 style="margin-left: 3%;">API</h2>
 
     <p>
-        We offer an API integrated support in OpenPGP applications. Check out
-        our <a href="/about/api">API documentation</a>.
+        We offer an API for integrated support in OpenPGP applications. Check
+        out our <a href="/about/api">API documentation</a>.
     </p>
 
     <h2 style="margin-left: 3%;">Others</h2>