diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2020-08-07 13:22:54 +0200 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2020-08-07 13:39:03 +0200 |
| commit | 19cef0decc102e01d85bdb727337734926ed6ef1 (patch) | |
| tree | ce946d72963d0e0ee809b04bc74f4b021b813288 | |
| parent | 4d4127e2370a3c2f4a4850a3bd6aac949eab29e0 (diff) | |
openpgp: Check that primary key binding signatures are alive.
- Fixes #539.
| -rw-r--r-- | openpgp/src/cert/bundle.rs | 11 | ||||
| -rw-r--r-- | openpgp/src/cert/mod.rs | 13 | ||||
| -rw-r--r-- | openpgp/tests/data/keys/peter-expired-backsig.pgp | bin | 0 -> 2143 bytes |
3 files changed, 24 insertions, 0 deletions
diff --git a/openpgp/src/cert/bundle.rs b/openpgp/src/cert/bundle.rs index ea851443..c8a0a2f7 100644 --- a/openpgp/src/cert/bundle.rs +++ b/openpgp/src/cert/bundle.rs @@ -314,6 +314,17 @@ impl<C> ComponentBundle<C> { s.key_flags().map(|kf| kf.for_signing()).unwrap_or(false) { if let Some(backsig) = s.embedded_signature() { + if let Err(e) = backsig.signature_alive( + t, time::Duration::new(0, 0)) + { + // The primary key binding signature is not + // alive. + if error.is_none() { + error = Some(e); + } + continue; + } + if let Err(e) = policy.signature(backsig) { if error.is_none() { error = Some(e); diff --git a/openpgp/src/cert/mod.rs b/openpgp/src/cert/mod.rs index 443284f6..b0c4b9e3 100644 --- a/openpgp/src/cert/mod.rs +++ b/openpgp/src/cert/mod.rs @@ -5286,4 +5286,17 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= assert_eq!(cert.with_policy(p, None)?.keys().for_signing().count(), 0); Ok(()) } + + /// Tests whether expired primary key binding signatures are + /// rejected. + #[test] + fn issue_539() -> Result<()> { + let cert = + Cert::from_bytes(crate::tests::key("peter-expired-backsig.pgp"))?; + let p = &crate::policy::NullPolicy::new(); + assert_eq!(cert.with_policy(p, None)?.keys().for_signing().count(), 0); + let p = &crate::policy::StandardPolicy::new(); + assert_eq!(cert.with_policy(p, None)?.keys().for_signing().count(), 0); + Ok(()) + } } diff --git a/openpgp/tests/data/keys/peter-expired-backsig.pgp b/openpgp/tests/data/keys/peter-expired-backsig.pgp Binary files differnew file mode 100644 index 00000000..c260ac5f --- /dev/null +++ b/openpgp/tests/data/keys/peter-expired-backsig.pgp |