openpgp: Handle header lines in the cleartext signature framework.

  - Fixes #1091.

4 files changed, 103 insertions, 1 deletions

diff --git a/openpgp/src/armor.rs b/openpgp/src/armor.rs
index 3fa5fa5e..21b39511 100644
--- a/openpgp/src/armor.rs
+++ b/openpgp/src/armor.rs
@@ -1472,6 +1472,11 @@ impl<'a> Reader<'a> {
             // and doing that will finalize the reader, which we'll
             // have to undo later on.
             self.csft = None;
+
+            // We found the signature marker, now consume any armor
+            // headers.
+            self.read_headers()?;
+
             let mut sigs: Vec<Packet> = Vec::new();
             let mut ppr = PacketParserBuilder::from_reader(self.by_ref())?
                 .dearmor(Dearmor::Disabled)
diff --git a/openpgp/src/parse/stream.rs b/openpgp/src/parse/stream.rs
index 63d42507..e419e14b 100644
--- a/openpgp/src/parse/stream.rs
+++ b/openpgp/src/parse/stream.rs
@@ -3030,7 +3030,7 @@ pub mod test {
     use super::*;
     use std::convert::TryFrom;
     use crate::parse::Parse;
-    use crate::policy::StandardPolicy as P;
+    use crate::policy::{NullPolicy as NP, StandardPolicy as P};
     use crate::serialize::Serialize;
     use crate::{
         crypto::Password,
@@ -3852,6 +3852,58 @@ EK8=
         Ok(())
     }
 
+    /// Tests samples of messages signed with the cleartext signature
+    /// framework.
+    #[test]
+    fn csf_verification() -> Result<()> {
+        struct H(Vec<Cert>, bool);
+        impl VerificationHelper for H {
+            fn get_certs(&mut self, _ids: &[crate::KeyHandle])
+                         -> Result<Vec<Cert>> {
+                Ok(std::mem::take(&mut self.0))
+            }
+
+            fn check(&mut self, m: MessageStructure)
+                     -> Result<()> {
+                for (i, layer) in m.into_iter().enumerate() {
+                    assert_eq!(i, 0);
+                    if let MessageLayer::SignatureGroup { results } = layer {
+                        assert!(! results.is_empty());
+                        for result in results {
+                            result.unwrap();
+                        }
+                        self.1 = true;
+                    } else {
+                        panic!();
+                    }
+                }
+
+                Ok(())
+            }
+        }
+
+        for (m, c) in [
+            ("InRelease", "InRelease.signers.pgp"),
+            ("InRelease.msft", "InRelease.msft.signers.pgp"),
+        ] {
+            let certs = crate::cert::CertParser::from_bytes(
+                crate::tests::key(c))?.collect::<Result<Vec<_>>>()?;
+
+            // The Microsoft cert uses SHA-1.
+            let p = &NP::new();
+            eprintln!("Parsing {}...", m);
+            let mut verifier = VerifierBuilder::from_bytes(
+                crate::tests::message(m))?
+                .with_policy(p, None, H(certs, false))?;
+            let mut b = Vec::new();
+            verifier.read_to_end(&mut b)?;
+            let h = verifier.into_helper();
+            assert!(h.1);
+        }
+
+        Ok(())
+    }
+
     /// Tests whether messages using the cleartext signature framework
     /// with multiple signatures and signers are correctly handled.
     #[test]
diff --git a/openpgp/tests/data/keys/InRelease.msft.signers.pgp b/openpgp/tests/data/keys/InRelease.msft.signers.pgp
new file mode 100644
index 00000000..0cffae08
--- /dev/null
+++ b/openpgp/tests/data/keys/InRelease.msft.signers.pgp
diff --git a/openpgp/tests/data/messages/InRelease.msft b/openpgp/tests/data/messages/InRelease.msft
new file mode 100644
index 00000000..c8aa35f8
--- /dev/null
+++ b/openpgp/tests/data/messages/InRelease.msft
@@ -0,0 +1,45 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Origin: edge stable
+Label: edge stable
+Suite: stable
+Codename: stable
+Date: Fri, 23 Feb 2024 23:40:36 +0000
+Architectures: amd64 arm64 armhf all
+Components: main
+Description: Generated by aptly
+Acquire-By-Hash: no
+SHA256:
+ ac699445592f68f41846a1155373e0f119f583eb956ca2366fc439dfd2f1e9e3           127370 main/binary-amd64/Packages
+ 8057004629cdd7d8fe247272978c6a3b98396911ce77b945b5c103afd2f93753             7695 main/binary-amd64/Packages.gz
+ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855                0 main/binary-arm64/Packages
+ c74125ed2ac3a52a6ef388c682bc5d70736b72f25351901037478b952bbde3c9               29 main/binary-arm64/Packages.gz
+ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855                0 main/binary-armhf/Packages
+ c74125ed2ac3a52a6ef388c682bc5d70736b72f25351901037478b952bbde3c9               29 main/binary-armhf/Packages.gz
+ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855                0 main/binary-all/Packages
+ c74125ed2ac3a52a6ef388c682bc5d70736b72f25351901037478b952bbde3c9               29 main/binary-all/Packages.gz
+ e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855                0 main/source/Sources
+ fff83a1af8d775bca4ea7fafcd320e99a8cb82f1d2bae6fc4a2aa889cae61a45               28 main/source/Sources.gz
+SHA512:
+ cb25aea00cfc787a1753cd691dca80d31d95071eeac3d1338d347f8da2c845fa9fe9b3ce5f67db5bb0bfcc8c19e0edc4d100e29fbca671a0f7895aed43f0b3c4           127370 main/binary-amd64/Packages
+ 9d97f1bcb5629c992d21d857a4305ae9014588d43be32eacacd224c49977a2054e93ef72a9f438213191e62002ee101da2e8a7d33df767e064c25c2b9392bcf2             7695 main/binary-amd64/Packages.gz
+ cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e                0 main/binary-arm64/Packages
+ 45db920e1f9eaf7c709416d25132a1d2fdf41d528ce0cf0d519555f0123afb15fabfb840d3afc91b6b7c741821fd4697a961c6145afbb013a88096a7e7609bce               29 main/binary-arm64/Packages.gz
+ cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e                0 main/binary-armhf/Packages
+ 45db920e1f9eaf7c709416d25132a1d2fdf41d528ce0cf0d519555f0123afb15fabfb840d3afc91b6b7c741821fd4697a961c6145afbb013a88096a7e7609bce               29 main/binary-armhf/Packages.gz
+ cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e                0 main/binary-all/Packages
+ 45db920e1f9eaf7c709416d25132a1d2fdf41d528ce0cf0d519555f0123afb15fabfb840d3afc91b6b7c741821fd4697a961c6145afbb013a88096a7e7609bce               29 main/binary-all/Packages.gz
+ cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e                0 main/source/Sources
+ d7f9bcff224a2f752a7a98daa7b6c8f90d1689d96e393a1f2312c308e40a8ea546b2044f8e943e8804c1e3668bcfd335ca68392e22ade043e761eecd5d94f3e2               28 main/source/Sources.gz
+
+-----BEGIN PGP SIGNATURE-----
+Version: BSN Pgp v1.0.0.0
+
+iQEcBAEBCAAGBQJl2S1YAAoJEOs+lK2+EinP7iMH/0ld9KRAlQjfAna/qjqdy6+c
+Rek5mHBCpmdHtwUQq4KwZFBpesqGDdqYX8XQO2ukXlYTlSFRZVM9jbF/D0vnhPwr
+shahdAHDCs7RPhLryctZWft0pB7vf3PmX/lCkqoCyoyN4/I60Gu7H5D/CJePq2gB
+7dr3iSlUjbzTpKZ//fuZuQ7F3dCDa4m9/In4bZLW0qp37yBYygaAH7IwVeXvvOBL
+uHBuiuRNEy5NfhUDmnHgv1PAnRKvhHSJk1TuYlYttM7/WX/Uia7qdY/7RUvDf9eX
+VCXBMjvtMK3egidkX4CT8irYuK0Sg7hasY+2vqG6+TX3Qdyeg+Kse7pd9MGY91M=
+-----END PGP SIGNATURE-----