diff options
author | Neal H. Walfield <neal@pep.foundation> | 2022-03-02 16:13:47 +0100 |
---|---|---|
committer | Neal H. Walfield <neal@pep.foundation> | 2022-03-02 16:37:13 +0100 |
commit | 36cf94eb79259a481f09b43329798227b1002619 (patch) | |
tree | 7a76d00b39e3706ea5fcab279375d4ff914ecb1f | |
parent | 103faed45e48f07715b4dbae0f5b046b1a0a8bb2 (diff) |
sq: Display whether a certification is valid according to the policy
- When `sq inspect` displays a certification, also display the hash
algorithm, and whether the certification is valid according to the
currently policy.
- Recall: The standard policy rejects certifications that use SHA-1,
but GnuPG doesn't. This makes is easier for users to understand
why some certifications are ignored.
-rw-r--r-- | sq/src/commands/inspect.rs | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/sq/src/commands/inspect.rs b/sq/src/commands/inspect.rs index 9befbace..7873c91f 100644 --- a/sq/src/commands/inspect.rs +++ b/sq/src/commands/inspect.rs @@ -9,7 +9,7 @@ use openpgp::packet::{ key::PublicParts, }; use crate::openpgp::parse::{Parse, PacketParserResult}; -use crate::openpgp::policy::Policy; +use crate::openpgp::policy::{Policy, HashAlgoSecurity}; use crate::openpgp::packet::key::SecretKeyMaterial; use super::dump::Convert; @@ -175,7 +175,7 @@ fn inspect_cert(policy: &dyn Policy, } Err(e) => print_error_chain(output, &e)?, } - inspect_certifications(output, + inspect_certifications(output, policy, uidb.certifications(), print_certifications)?; writeln!(output)?; @@ -193,7 +193,7 @@ fn inspect_cert(policy: &dyn Policy, } Err(e) => print_error_chain(output, &e)?, } - inspect_certifications(output, + inspect_certifications(output, policy, uab.certifications(), print_certifications)?; writeln!(output)?; @@ -209,7 +209,7 @@ fn inspect_cert(policy: &dyn Policy, } Err(e) => print_error_chain(output, &e)?, } - inspect_certifications(output, + inspect_certifications(output, policy, ub.certifications(), print_certifications)?; writeln!(output)?; @@ -272,7 +272,8 @@ fn inspect_key(policy: &dyn Policy, writeln!(output, "{} Key flags: {}", indent, flags)?; } } - inspect_certifications(output, bundle.certifications().iter(), + inspect_certifications(output, policy, + bundle.certifications().iter(), print_certifications)?; Ok(()) @@ -401,9 +402,12 @@ fn inspect_signatures(output: &mut dyn io::Write, } fn inspect_certifications<'a, A>(output: &mut dyn io::Write, - certs: A, - print_certifications: bool) -> Result<()> where - A: std::iter::Iterator<Item=&'a openpgp::packet::Signature> { + policy: &dyn Policy, + certs: A, + print_certifications: bool) + -> Result<()> + where A: std::iter::Iterator<Item=&'a openpgp::packet::Signature> +{ if print_certifications { let mut emit_warning = false; for sig in certs { @@ -490,6 +494,18 @@ fn inspect_certifications<'a, A>(output: &mut dyn io::Write, keyid)?; } } + + writeln!(output, "{}Hash algorithm: {}", + indent, sig.hash_algo())?; + if let Err(err) = policy.signature( + sig, HashAlgoSecurity::CollisionResistance) + { + writeln!(output, + "{}Certificate is not valid according to \ + the current policy:\n\ + {} {}", + indent, indent, err)?; + } } if emit_warning { writeln!(output, " Note: \ |