diff options
author | Neal H. Walfield <neal@pep.foundation> | 2020-06-30 14:41:32 +0200 |
---|---|---|
committer | Neal H. Walfield <neal@pep.foundation> | 2020-06-30 14:44:00 +0200 |
commit | b2404c84549312146c61e3d7e3e418fe60177d40 (patch) | |
tree | dff8cced633b7ca06fcf524c724931c2ddd442aa | |
parent | 1d2ad5f5e39884fee1464c0cefb114ba50ccf42f (diff) |
openpgp: A direct key signature can be made by a third party.
- To support third-party direct key signatures (e.g., revocations),
change `SignatureBuilder::sign_direct_key` to take the key that is
being signed, and not assume that it is `signer::public`.
-rw-r--r-- | openpgp/src/cert/builder.rs | 2 | ||||
-rw-r--r-- | openpgp/src/cert/mod.rs | 10 | ||||
-rw-r--r-- | openpgp/src/packet/signature/mod.rs | 7 | ||||
-rw-r--r-- | sqv/tests/revoked-key.rs | 6 |
4 files changed, 13 insertions, 12 deletions
diff --git a/openpgp/src/cert/builder.rs b/openpgp/src/cert/builder.rs index c4487ac9..fd82bf21 100644 --- a/openpgp/src/cert/builder.rs +++ b/openpgp/src/cert/builder.rs @@ -1062,7 +1062,7 @@ impl CertBuilder { let mut signer = key.clone().into_keypair() .expect("key generated above has a secret"); - let sig = sig.sign_direct_key(&mut signer)?; + let sig = sig.sign_direct_key(&mut signer, &key)?; Ok((key, sig.into())) } diff --git a/openpgp/src/cert/mod.rs b/openpgp/src/cert/mod.rs index f82e3348..d7cad557 100644 --- a/openpgp/src/cert/mod.rs +++ b/openpgp/src/cert/mod.rs @@ -4073,13 +4073,13 @@ mod test { .set_signature_creation_time(t1).unwrap() .set_key_validity_period(Some(time::Duration::new(10 * 52 * 7 * 24 * 60 * 60, 0))).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]).unwrap() - .sign_direct_key(&mut pair).unwrap(); + .sign_direct_key(&mut pair, &key).unwrap(); let rev1 = signature::SignatureBuilder::new(SignatureType::KeyRevocation) .set_signature_creation_time(t2).unwrap() .set_reason_for_revocation(ReasonForRevocation::KeySuperseded, &b""[..]).unwrap() - .sign_direct_key(&mut pair).unwrap(); + .sign_direct_key(&mut pair, &key).unwrap(); let bind2 = signature::SignatureBuilder::new(SignatureType::DirectKey) .set_features(&Features::sequoia()).unwrap() @@ -4087,13 +4087,13 @@ mod test { .set_signature_creation_time(t3).unwrap() .set_key_validity_period(Some(time::Duration::new(10 * 52 * 7 * 24 * 60 * 60, 0))).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]).unwrap() - .sign_direct_key(&mut pair).unwrap(); + .sign_direct_key(&mut pair, &key).unwrap(); let rev2 = signature::SignatureBuilder::new(SignatureType::KeyRevocation) .set_signature_creation_time(t4).unwrap() .set_reason_for_revocation(ReasonForRevocation::KeyCompromised, &b""[..]).unwrap() - .sign_direct_key(&mut pair).unwrap(); + .sign_direct_key(&mut pair, &key).unwrap(); (bind1, rev1, bind2, rev2) }; @@ -4755,7 +4755,7 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= .unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]).unwrap() .set_signature_creation_time(*t).unwrap() - .sign_direct_key(&mut pair).unwrap(); + .sign_direct_key(&mut pair, &key).unwrap(); let binding : Packet = binding.into(); diff --git a/openpgp/src/packet/signature/mod.rs b/openpgp/src/packet/signature/mod.rs index 9d7f6196..7c95e9f8 100644 --- a/openpgp/src/packet/signature/mod.rs +++ b/openpgp/src/packet/signature/mod.rs @@ -284,8 +284,10 @@ impl SignatureBuilder { /// algorithm used by `signer`. /// If not set before, Issuer and Issuer Fingerprint subpackets are added /// pointing to `signer`. - pub fn sign_direct_key(mut self, signer: &mut dyn Signer) + pub fn sign_direct_key<P>(mut self, signer: &mut dyn Signer, + pk: &Key<P, key::PrimaryRole>) -> Result<Signature> + where P: key::KeyParts, { match self.typ { SignatureType::DirectKey => (), @@ -296,8 +298,7 @@ impl SignatureBuilder { self = self.pre_sign(signer)?; - let digest = Signature::hash_direct_key( - &self, signer.public().role_as_primary())?; + let digest = Signature::hash_direct_key(&self, pk)?; self.sign(signer, digest) } diff --git a/sqv/tests/revoked-key.rs b/sqv/tests/revoked-key.rs index 838d5d18..65e03255 100644 --- a/sqv/tests/revoked-key.rs +++ b/sqv/tests/revoked-key.rs @@ -306,7 +306,7 @@ fn create_key() { .set_signature_creation_time(t1).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]) .unwrap(); - let direct1 = b.sign_direct_key(&mut signer).unwrap(); + let direct1 = b.sign_direct_key(&mut signer, &key).unwrap(); // 1st subkey binding signature valid from t_sk_binding on b = signature::SignatureBuilder::new(SignatureType::SubkeyBinding) @@ -327,7 +327,7 @@ fn create_key() { .set_signature_creation_time(t3).unwrap() .set_preferred_hash_algorithms(vec![HashAlgorithm::SHA512]) .unwrap(); - let direct2 = b.sign_direct_key(&mut signer).unwrap(); + let direct2 = b.sign_direct_key(&mut signer, &key).unwrap(); // 2nd subkey binding signature valid from t3 on let mut b = signature::SignatureBuilder::new(SignatureType::SubkeyBinding) @@ -370,7 +370,7 @@ fn create_key() { .unwrap(); } - let rev = b.sign_direct_key(&mut signer).unwrap(); + let rev = b.sign_direct_key(&mut signer, &key).unwrap(); let cert = Cert::try_from(vec![ key.clone().into(), direct1.clone().into(), |