diff options
author | Neal H. Walfield <neal@pep.foundation> | 2020-06-29 16:56:55 +0200 |
---|---|---|
committer | Neal H. Walfield <neal@pep.foundation> | 2020-06-29 18:28:05 +0200 |
commit | 92c5a1612995201afbcd1b9b5b6d749cf1b2d6a7 (patch) | |
tree | 2d54c8654d014bc40e1b3a1c9a1d73d501739435 | |
parent | cd01d146546afb04fcbe493a2fa5d81077d646f4 (diff) |
openpgp: Don't unnecessarily set signature subpackets.
- When using the `SignatureBuilder`, the signature creation time and
issuer subpackets will be correctly set by default.
- Don't do it explicitly.
-rw-r--r-- | openpgp/src/cert/bindings.rs | 21 | ||||
-rw-r--r-- | openpgp/src/cert/builder.rs | 6 | ||||
-rw-r--r-- | openpgp/src/cert/mod.rs | 12 | ||||
-rw-r--r-- | openpgp/src/cert/revoke.rs | 11 | ||||
-rw-r--r-- | openpgp/src/packet/signature/mod.rs | 12 | ||||
-rw-r--r-- | openpgp/src/policy.rs | 8 | ||||
-rw-r--r-- | openpgp/src/serialize/stream.rs | 6 | ||||
-rw-r--r-- | sqv/tests/revoked-key.rs | 50 | ||||
-rw-r--r-- | sqv/tests/wrong-key-flags.rs | 3 |
9 files changed, 16 insertions, 113 deletions
diff --git a/openpgp/src/cert/bindings.rs b/openpgp/src/cert/bindings.rs index 7dc8a0d3..a1b19278 100644 --- a/openpgp/src/cert/bindings.rs +++ b/openpgp/src/cert/bindings.rs @@ -64,11 +64,8 @@ impl<P: key::KeyParts> Key<P, key::SubordinateRole> { signature: signature::SignatureBuilder) -> Result<Signature> { - signature - .set_issuer_fingerprint(signer.public().fingerprint())? - .set_issuer(signer.public().keyid())? - .sign_subkey_binding( - signer, cert.primary_key().key(), self) + signature.sign_subkey_binding( + signer, cert.primary_key().key(), self) } } @@ -117,11 +114,8 @@ impl UserID { signature: signature::SignatureBuilder) -> Result<Signature> { - signature - .set_issuer_fingerprint(signer.public().fingerprint())? - .set_issuer(signer.public().keyid())? - .sign_userid_binding( - signer, cert.primary_key().key(), self) + signature.sign_userid_binding( + signer, cert.primary_key().key(), self) } /// Returns a certificate for the user id. @@ -256,11 +250,8 @@ impl UserAttribute { signature: signature::SignatureBuilder) -> Result<Signature> { - signature - .set_issuer_fingerprint(signer.public().fingerprint())? - .set_issuer(signer.public().keyid())? - .sign_user_attribute_binding( - signer, cert.primary_key().key(), self) + signature.sign_user_attribute_binding( + signer, cert.primary_key().key(), self) } /// Returns a certificate for the user attribute. diff --git a/openpgp/src/cert/builder.rs b/openpgp/src/cert/builder.rs index 23c84792..c4487ac9 100644 --- a/openpgp/src/cert/builder.rs +++ b/openpgp/src/cert/builder.rs @@ -1013,10 +1013,6 @@ impl CertBuilder { .set_signature_creation_time(creation_time)? // GnuPG wants at least a 512-bit hash for P521 keys. .set_hash_algo(HashAlgorithm::SHA512) - .set_signature_creation_time( - time::SystemTime::now())? - .set_issuer_fingerprint(subkey.fingerprint())? - .set_issuer(subkey.keyid())? .sign_primary_key_binding(&mut subkey_signer, &primary, &subkey)?; builder = builder.set_embedded_signature(backsig)?; @@ -1058,8 +1054,6 @@ impl CertBuilder { .set_key_flags(&self.primary.flags)? .set_signature_creation_time(creation_time)? .set_key_expiration_time(&key, self.primary.expiration)? - .set_issuer_fingerprint(key.fingerprint())? - .set_issuer(key.keyid())? .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512])?; if let Some(ref revocation_keys) = self.revocation_keys { diff --git a/openpgp/src/cert/mod.rs b/openpgp/src/cert/mod.rs index 36d54451..a3ccc21c 100644 --- a/openpgp/src/cert/mod.rs +++ b/openpgp/src/cert/mod.rs @@ -4069,8 +4069,6 @@ mod test { .set_key_flags(&KeyFlags::default()).unwrap() .set_signature_creation_time(t1).unwrap() .set_key_validity_period(Some(time::Duration::new(10 * 52 * 7 * 24 * 60 * 60, 0))).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.keyid()).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]).unwrap() .sign_direct_key(&mut pair).unwrap(); @@ -4078,8 +4076,6 @@ mod test { .set_signature_creation_time(t2).unwrap() .set_reason_for_revocation(ReasonForRevocation::KeySuperseded, &b""[..]).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.keyid()).unwrap() .sign_direct_key(&mut pair).unwrap(); let bind2 = signature::SignatureBuilder::new(SignatureType::DirectKey) @@ -4087,8 +4083,6 @@ mod test { .set_key_flags(&KeyFlags::default()).unwrap() .set_signature_creation_time(t3).unwrap() .set_key_validity_period(Some(time::Duration::new(10 * 52 * 7 * 24 * 60 * 60, 0))).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.keyid()).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]).unwrap() .sign_direct_key(&mut pair).unwrap(); @@ -4096,8 +4090,6 @@ mod test { .set_signature_creation_time(t4).unwrap() .set_reason_for_revocation(ReasonForRevocation::KeyCompromised, &b""[..]).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.keyid()).unwrap() .sign_direct_key(&mut pair).unwrap(); (bind1, rev1, bind2, rev2) @@ -4758,8 +4750,6 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= .set_key_validity_period(Some( time::Duration::new((1 + i as u64) * 24 * 60 * 60, 0))) .unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.keyid()).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]).unwrap() .set_signature_creation_time(*t).unwrap() .sign_direct_key(&mut pair).unwrap(); @@ -4937,8 +4927,6 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= packet::Tag::PublicSubkey, anyhow::anyhow!("fake key")); fake_key.set_body("fake key".into()); let fake_binding = signature::SignatureBuilder::new(SignatureType::SubkeyBinding) - .set_issuer(primary_pair.public().keyid())? - .set_issuer_fingerprint(primary_pair.public().fingerprint())? .sign_standalone(&mut primary_pair)?; let cert = cert.merge_packets(vec![Packet::from(fake_key), fake_binding.clone().into()])?; diff --git a/openpgp/src/cert/revoke.rs b/openpgp/src/cert/revoke.rs index ba46fd1b..909aa573 100644 --- a/openpgp/src/cert/revoke.rs +++ b/openpgp/src/cert/revoke.rs @@ -231,16 +231,7 @@ impl CertRevocationBuilder { cert.primary_key().hash(&mut hash); - let creation_time - = self.signature_creation_time() - .unwrap_or_else(time::SystemTime::now); - - self.builder - // If not set, set it to now. - .set_signature_creation_time(creation_time)? - .set_issuer_fingerprint(signer.public().fingerprint())? - .set_issuer(signer.public().keyid())? - .sign_hash(signer, hash) + self.builder.sign_hash(signer, hash) } } diff --git a/openpgp/src/packet/signature/mod.rs b/openpgp/src/packet/signature/mod.rs index 404375ba..7376024f 100644 --- a/openpgp/src/packet/signature/mod.rs +++ b/openpgp/src/packet/signature/mod.rs @@ -1524,10 +1524,6 @@ mod test { let msg = b"Hello, World"; let mut pair = key.into_keypair().unwrap(); let sig = SignatureBuilder::new(SignatureType::Binary) - .set_signature_creation_time( - std::time::SystemTime::now()).unwrap() - .set_issuer_fingerprint(pair.public().fingerprint()).unwrap() - .set_issuer(pair.public().keyid()).unwrap() .sign_message(&mut pair, msg).unwrap(); sig.verify_message(pair.public(), msg).unwrap(); @@ -1653,10 +1649,6 @@ mod test { let mut pair = key.into_keypair().unwrap(); let sig = SignatureBuilder::new(SignatureType::Standalone) - .set_signature_creation_time( - std::time::SystemTime::now()).unwrap() - .set_issuer_fingerprint(pair.public().fingerprint()).unwrap() - .set_issuer(pair.public().keyid()).unwrap() .sign_standalone(&mut pair) .unwrap(); @@ -1685,10 +1677,6 @@ mod test { let mut pair = key.into_keypair().unwrap(); let sig = SignatureBuilder::new(SignatureType::Timestamp) - .set_signature_creation_time( - std::time::SystemTime::now()).unwrap() - .set_issuer_fingerprint(pair.public().fingerprint()).unwrap() - .set_issuer(pair.public().keyid()).unwrap() .sign_timestamp(&mut pair) .unwrap(); diff --git a/openpgp/src/policy.rs b/openpgp/src/policy.rs index a4635201..1cdb39ac 100644 --- a/openpgp/src/policy.rs +++ b/openpgp/src/policy.rs @@ -1511,8 +1511,6 @@ mod test { = Key4::generate_rsa(4096)?.into(); let binding = signature::SignatureBuilder::new(SignatureType::SubkeyBinding) .set_key_flags(&KeyFlags::default().set_transport_encryption(true))? - .set_issuer_fingerprint(cert.fingerprint())? - .set_issuer(cert.keyid())? .sign_subkey_binding(&mut pk.clone().into_keypair()?, &pk, &subkey)?; @@ -1536,8 +1534,6 @@ mod test { = key::Key4::generate_ecc(true, Curve::Ed25519)?.into(); let binding = signature::SignatureBuilder::new(SignatureType::SubkeyBinding) .set_key_flags(&KeyFlags::default().set_transport_encryption(true))? - .set_issuer_fingerprint(cert.fingerprint())? - .set_issuer(cert.keyid())? .sign_subkey_binding(&mut pk.clone().into_keypair()?, &pk, &subkey)?; @@ -1664,10 +1660,6 @@ mod test { // Create a signature. let sig = signature::SignatureBuilder::new(SignatureType::Binary) - .set_signature_creation_time( - std::time::SystemTime::now()).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.keyid()).unwrap() .sign_message(&mut keypair, msg).unwrap(); // Make sure the signature is ok. diff --git a/openpgp/src/serialize/stream.rs b/openpgp/src/serialize/stream.rs index 36c3358f..5a7ce963 100644 --- a/openpgp/src/serialize/stream.rs +++ b/openpgp/src/serialize/stream.rs @@ -1146,11 +1146,7 @@ impl<'a> Signer<'a> { let mut sig = self.template.clone() .set_signature_creation_time( self.creation_time - .unwrap_or_else(SystemTime::now))? - .set_issuer_fingerprint(signer.public().fingerprint())? - // GnuPG up to (and including) 2.2.8 requires the - // Issuer subpacket to be present. - .set_issuer(signer.public().keyid())?; + .unwrap_or_else(SystemTime::now))?; if ! self.intended_recipients.is_empty() { sig = sig.set_intended_recipients( diff --git a/sqv/tests/revoked-key.rs b/sqv/tests/revoked-key.rs index 518bf8b8..838d5d18 100644 --- a/sqv/tests/revoked-key.rs +++ b/sqv/tests/revoked-key.rs @@ -304,8 +304,6 @@ fn create_key() { .set_key_flags(&KeyFlags::default() .set_signing(true).set_certification(true)).unwrap() .set_signature_creation_time(t1).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]) .unwrap(); let direct1 = b.sign_direct_key(&mut signer).unwrap(); @@ -314,13 +312,9 @@ fn create_key() { b = signature::SignatureBuilder::new(SignatureType::SubkeyBinding) .set_key_flags(&KeyFlags::default().set_signing(true)).unwrap() .set_signature_creation_time(t_sk_binding).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap() .set_embedded_signature( signature::SignatureBuilder::new(SignatureType::PrimaryKeyBinding) .set_signature_creation_time(t_sk_binding).unwrap() - .set_issuer_fingerprint(subkey.fingerprint()).unwrap() - .set_issuer(subkey.keyid()).unwrap() .sign_subkey_binding(&mut sk_signer, &key, &subkey).unwrap()) .unwrap(); let sk_bind1 = b.sign_subkey_binding(&mut signer, &key, &subkey).unwrap(); @@ -331,8 +325,6 @@ fn create_key() { .set_key_flags(&KeyFlags::default() .set_signing(true).set_certification(true)).unwrap() .set_signature_creation_time(t3).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]) .unwrap(); let direct2 = b.sign_direct_key(&mut signer).unwrap(); @@ -341,13 +333,9 @@ fn create_key() { let mut b = signature::SignatureBuilder::new(SignatureType::SubkeyBinding) .set_key_flags(&KeyFlags::default().set_signing(true)).unwrap() .set_signature_creation_time(t3).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap() .set_embedded_signature( signature::SignatureBuilder::new(SignatureType::PrimaryKeyBinding) .set_signature_creation_time(t3).unwrap() - .set_issuer_fingerprint(subkey.fingerprint()).unwrap() - .set_issuer(subkey.keyid()).unwrap() .sign_subkey_binding(&mut sk_signer, &key, &subkey).unwrap()) .unwrap(); let sk_bind2 = b.sign_subkey_binding(&mut signer, &key, &subkey).unwrap(); @@ -375,9 +363,7 @@ fn create_key() { ] { // Revocation sig valid from t2 on let mut b = signature::SignatureBuilder::new(SignatureType::KeyRevocation) - .set_signature_creation_time(t2).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap(); + .set_signature_creation_time(t2).unwrap(); if let Some(r) = reason { b = b.set_reason_for_revocation(r.clone(), r.to_string().as_bytes()) @@ -402,9 +388,7 @@ fn create_key() { // Again, this time we revoke the subkey. let mut b = signature::SignatureBuilder::new(SignatureType::SubkeyRevocation) - .set_signature_creation_time(t2).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap(); + .set_signature_creation_time(t2).unwrap(); if let Some(r) = reason { b = b.set_reason_for_revocation(r.clone(), r.to_string().as_bytes()) @@ -431,8 +415,6 @@ fn create_key() { // 0th message sig before t1 let sig0 = signature::SignatureBuilder::new(SignatureType::Binary) .set_signature_creation_time(t0).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap() .sign_message(&mut signer, msg).unwrap(); let mut fd = File::create("revoked-key-sig-t0.pgp").unwrap(); Packet::from(sig0).serialize(&mut fd).unwrap(); @@ -440,62 +422,46 @@ fn create_key() { // 0th message sig before t1, subkey let sig0 = signature::SignatureBuilder::new(SignatureType::Binary) .set_signature_creation_time(t0).unwrap() - .set_issuer_fingerprint(subkey.fingerprint()).unwrap() - .set_issuer(subkey.fingerprint().into()).unwrap() .sign_message(&mut sk_signer, msg).unwrap(); let mut fd = File::create("revoked-key-sig-t0.sk.pgp").unwrap(); Packet::from(sig0).serialize(&mut fd).unwrap(); // 1st message sig between t1 and t2 b = signature::SignatureBuilder::new(SignatureType::Binary) - .set_signature_creation_time(t12).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap(); + .set_signature_creation_time(t12).unwrap(); let sig1 = b.sign_message(&mut signer, msg).unwrap(); let mut fd = File::create("revoked-key-sig-t1-t2.pgp").unwrap(); Packet::from(sig1).serialize(&mut fd).unwrap(); // 1st message sig between t1 and t2, subkey b = signature::SignatureBuilder::new(SignatureType::Binary) - .set_signature_creation_time(t12).unwrap() - .set_issuer_fingerprint(subkey.fingerprint()).unwrap() - .set_issuer(subkey.fingerprint().into()).unwrap(); + .set_signature_creation_time(t12).unwrap(); let sig1 = b.sign_message(&mut sk_signer, msg).unwrap(); let mut fd = File::create("revoked-key-sig-t1-t2.sk.pgp").unwrap(); Packet::from(sig1).serialize(&mut fd).unwrap(); // 2nd message sig between t2 and t3 b = signature::SignatureBuilder::new(SignatureType::Binary) - .set_signature_creation_time(t23).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap(); + .set_signature_creation_time(t23).unwrap(); let sig2 = b.sign_message(&mut signer, msg).unwrap(); let mut fd = File::create("revoked-key-sig-t2-t3.pgp").unwrap(); Packet::from(sig2).serialize(&mut fd).unwrap(); // 2nd message sig between t2 and t3, subkey b = signature::SignatureBuilder::new(SignatureType::Binary) - .set_signature_creation_time(t23).unwrap() - .set_issuer_fingerprint(subkey.fingerprint()).unwrap() - .set_issuer(subkey.fingerprint().into()).unwrap(); + .set_signature_creation_time(t23).unwrap(); let sig2 = b.sign_message(&mut sk_signer, msg).unwrap(); let mut fd = File::create("revoked-key-sig-t2-t3.sk.pgp").unwrap(); Packet::from(sig2).serialize(&mut fd).unwrap(); // 3rd message sig between t3 and now - b = signature::SignatureBuilder::new(SignatureType::Binary) - .set_signature_creation_time(std::time::SystemTime::now()).unwrap() - .set_issuer_fingerprint(key.fingerprint()).unwrap() - .set_issuer(key.fingerprint().into()).unwrap(); + b = signature::SignatureBuilder::new(SignatureType::Binary); let sig3 = b.sign_message(&mut signer, msg).unwrap(); let mut fd = File::create("revoked-key-sig-t3-now.pgp").unwrap(); Packet::from(sig3).serialize(&mut fd).unwrap(); // 3rd message sig between t3 and now, subkey - b = signature::SignatureBuilder::new(SignatureType::Binary) - .set_signature_creation_time(std::time::SystemTime::now()).unwrap() - .set_issuer_fingerprint(subkey.fingerprint()).unwrap() - .set_issuer(subkey.fingerprint().into()).unwrap(); + b = signature::SignatureBuilder::new(SignatureType::Binary); let sig3 = b.sign_message(&mut sk_signer, msg).unwrap(); let mut fd = File::create("revoked-key-sig-t3-now.sk.pgp").unwrap(); Packet::from(sig3).serialize(&mut fd).unwrap(); diff --git a/sqv/tests/wrong-key-flags.rs b/sqv/tests/wrong-key-flags.rs index 599725d2..222297c5 100644 --- a/sqv/tests/wrong-key-flags.rs +++ b/sqv/tests/wrong-key-flags.rs @@ -51,9 +51,6 @@ mod integration { // _ => unreachable!(), // }; // let mut b = signature::SignatureBuilder::new(SignatureType::Binary); -// b.set_signature_creation_time(time::now()).unwrap(); -// b.set_issuer_fingerprint(key.fingerprint()).unwrap(); -// b.set_issuer(key.fingerprint().into()).unwrap(); // b.sign_message( // &mut KeyPair::new(key.clone(), mpis.clone()).unwrap(), // HashAlgorithm::SHA512, b"Hello, World").unwrap() |