diff options
author | Justus Winter <justus@sequoia-pgp.org> | 2024-04-22 16:04:53 +0200 |
---|---|---|
committer | Justus Winter <justus@sequoia-pgp.org> | 2024-05-29 12:17:24 +0200 |
commit | 1b38fd1a464a855adfdb0a2b3b6395d765bd9aa2 (patch) | |
tree | 5a312c2c9d5313b3ac89bd478e16daeb3ce3da39 | |
parent | a7bb0d833ea9babace923753d4ce7f24c8e6cae2 (diff) |
openpgp: Improve handling of attestation key signatures.
- Previously, attestation key signatures were put into the
self_signatures bin. Then, in canonicalize they would fail to
verify as binding signature, and be put into the bad bin. Later,
when re-trying the bad signatures, we'd find the correct place for
it again.
- Instead, sort them into the attestations bin, and correctly verify
the attestations on the first try in Cert::canonicalize.
-rw-r--r-- | openpgp/src/cert.rs | 7 | ||||
-rw-r--r-- | openpgp/src/cert/parser/mod.rs | 4 |
2 files changed, 10 insertions, 1 deletions
diff --git a/openpgp/src/cert.rs b/openpgp/src/cert.rs index bbbde3e1..a484a88e 100644 --- a/openpgp/src/cert.rs +++ b/openpgp/src/cert.rs @@ -1649,6 +1649,10 @@ impl Cert { String::from_utf8_lossy(ua.userid().value())), ua, self_revocations, verify_userid_revocation, ua.userid()); + check!(format!("userid \"{}\"", + String::from_utf8_lossy(ua.userid().value())), + ua, attestations, verify_userid_attestation, + ua.userid()); check_3rd_party!( format!("userid \"{}\"", String::from_utf8_lossy(ua.userid().value())), @@ -1670,6 +1674,9 @@ impl Cert { check!("user attribute", binding, self_revocations, verify_user_attribute_revocation, binding.user_attribute()); + check!("user attribute", + binding, attestations, verify_user_attribute_attestation, + binding.user_attribute()); check_3rd_party!( "user attribute", binding, certifications, lookup_fn, diff --git a/openpgp/src/cert/parser/mod.rs b/openpgp/src/cert/parser/mod.rs index 4728a553..2b04922a 100644 --- a/openpgp/src/cert/parser/mod.rs +++ b/openpgp/src/cert/parser/mod.rs @@ -937,7 +937,9 @@ fn split_sigs<C>(primary: &KeyHandle, b: &mut ComponentBundle<C>) || issuers.iter().any(|kh| kh.aliases(primary)); use crate::SignatureType::*; - if typ == KeyRevocation + if typ == AttestationKey { + b.attestations.push(sig); + } else if typ == KeyRevocation || typ == SubkeyRevocation || typ == CertificationRevocation { |