diff options
author | Justus Winter <justus@sequoia-pgp.org> | 2024-02-25 18:17:53 +0100 |
---|---|---|
committer | Justus Winter <justus@sequoia-pgp.org> | 2024-02-25 18:22:11 +0100 |
commit | f21016f51ca9f71d519bce5215394d5dadd63df7 (patch) | |
tree | 67d6c54ae4836e2178b71ceab5681134d2a1ff64 | |
parent | 1cb7f66d9308afd08e5e556f2809513309711355 (diff) |
openpgp: Handle header lines in the cleartext signature framework.
- Fixes #1091.
-rw-r--r-- | openpgp/src/armor.rs | 5 | ||||
-rw-r--r-- | openpgp/src/parse/stream.rs | 54 | ||||
-rw-r--r-- | openpgp/tests/data/keys/InRelease.msft.signers.pgp | bin | 0 -> 641 bytes | |||
-rw-r--r-- | openpgp/tests/data/messages/InRelease.msft | 45 |
4 files changed, 103 insertions, 1 deletions
diff --git a/openpgp/src/armor.rs b/openpgp/src/armor.rs index 3fa5fa5e..21b39511 100644 --- a/openpgp/src/armor.rs +++ b/openpgp/src/armor.rs @@ -1472,6 +1472,11 @@ impl<'a> Reader<'a> { // and doing that will finalize the reader, which we'll // have to undo later on. self.csft = None; + + // We found the signature marker, now consume any armor + // headers. + self.read_headers()?; + let mut sigs: Vec<Packet> = Vec::new(); let mut ppr = PacketParserBuilder::from_reader(self.by_ref())? .dearmor(Dearmor::Disabled) diff --git a/openpgp/src/parse/stream.rs b/openpgp/src/parse/stream.rs index 63d42507..e419e14b 100644 --- a/openpgp/src/parse/stream.rs +++ b/openpgp/src/parse/stream.rs @@ -3030,7 +3030,7 @@ pub mod test { use super::*; use std::convert::TryFrom; use crate::parse::Parse; - use crate::policy::StandardPolicy as P; + use crate::policy::{NullPolicy as NP, StandardPolicy as P}; use crate::serialize::Serialize; use crate::{ crypto::Password, @@ -3852,6 +3852,58 @@ EK8= Ok(()) } + /// Tests samples of messages signed with the cleartext signature + /// framework. + #[test] + fn csf_verification() -> Result<()> { + struct H(Vec<Cert>, bool); + impl VerificationHelper for H { + fn get_certs(&mut self, _ids: &[crate::KeyHandle]) + -> Result<Vec<Cert>> { + Ok(std::mem::take(&mut self.0)) + } + + fn check(&mut self, m: MessageStructure) + -> Result<()> { + for (i, layer) in m.into_iter().enumerate() { + assert_eq!(i, 0); + if let MessageLayer::SignatureGroup { results } = layer { + assert!(! results.is_empty()); + for result in results { + result.unwrap(); + } + self.1 = true; + } else { + panic!(); + } + } + + Ok(()) + } + } + + for (m, c) in [ + ("InRelease", "InRelease.signers.pgp"), + ("InRelease.msft", "InRelease.msft.signers.pgp"), + ] { + let certs = crate::cert::CertParser::from_bytes( + crate::tests::key(c))?.collect::<Result<Vec<_>>>()?; + + // The Microsoft cert uses SHA-1. + let p = &NP::new(); + eprintln!("Parsing {}...", m); + let mut verifier = VerifierBuilder::from_bytes( + crate::tests::message(m))? + .with_policy(p, None, H(certs, false))?; + let mut b = Vec::new(); + verifier.read_to_end(&mut b)?; + let h = verifier.into_helper(); + assert!(h.1); + } + + Ok(()) + } + /// Tests whether messages using the cleartext signature framework /// with multiple signatures and signers are correctly handled. #[test] diff --git a/openpgp/tests/data/keys/InRelease.msft.signers.pgp b/openpgp/tests/data/keys/InRelease.msft.signers.pgp Binary files differnew file mode 100644 index 00000000..0cffae08 --- /dev/null +++ b/openpgp/tests/data/keys/InRelease.msft.signers.pgp diff --git a/openpgp/tests/data/messages/InRelease.msft b/openpgp/tests/data/messages/InRelease.msft new file mode 100644 index 00000000..c8aa35f8 --- /dev/null +++ b/openpgp/tests/data/messages/InRelease.msft @@ -0,0 +1,45 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +Origin: edge stable +Label: edge stable +Suite: stable +Codename: stable +Date: Fri, 23 Feb 2024 23:40:36 +0000 +Architectures: amd64 arm64 armhf all +Components: main +Description: Generated by aptly +Acquire-By-Hash: no +SHA256: + ac699445592f68f41846a1155373e0f119f583eb956ca2366fc439dfd2f1e9e3 127370 main/binary-amd64/Packages + 8057004629cdd7d8fe247272978c6a3b98396911ce77b945b5c103afd2f93753 7695 main/binary-amd64/Packages.gz + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 main/binary-arm64/Packages + c74125ed2ac3a52a6ef388c682bc5d70736b72f25351901037478b952bbde3c9 29 main/binary-arm64/Packages.gz + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 main/binary-armhf/Packages + c74125ed2ac3a52a6ef388c682bc5d70736b72f25351901037478b952bbde3c9 29 main/binary-armhf/Packages.gz + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 main/binary-all/Packages + c74125ed2ac3a52a6ef388c682bc5d70736b72f25351901037478b952bbde3c9 29 main/binary-all/Packages.gz + e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 main/source/Sources + fff83a1af8d775bca4ea7fafcd320e99a8cb82f1d2bae6fc4a2aa889cae61a45 28 main/source/Sources.gz +SHA512: + cb25aea00cfc787a1753cd691dca80d31d95071eeac3d1338d347f8da2c845fa9fe9b3ce5f67db5bb0bfcc8c19e0edc4d100e29fbca671a0f7895aed43f0b3c4 127370 main/binary-amd64/Packages + 9d97f1bcb5629c992d21d857a4305ae9014588d43be32eacacd224c49977a2054e93ef72a9f438213191e62002ee101da2e8a7d33df767e064c25c2b9392bcf2 7695 main/binary-amd64/Packages.gz + cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 0 main/binary-arm64/Packages + 45db920e1f9eaf7c709416d25132a1d2fdf41d528ce0cf0d519555f0123afb15fabfb840d3afc91b6b7c741821fd4697a961c6145afbb013a88096a7e7609bce 29 main/binary-arm64/Packages.gz + cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 0 main/binary-armhf/Packages + 45db920e1f9eaf7c709416d25132a1d2fdf41d528ce0cf0d519555f0123afb15fabfb840d3afc91b6b7c741821fd4697a961c6145afbb013a88096a7e7609bce 29 main/binary-armhf/Packages.gz + cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 0 main/binary-all/Packages + 45db920e1f9eaf7c709416d25132a1d2fdf41d528ce0cf0d519555f0123afb15fabfb840d3afc91b6b7c741821fd4697a961c6145afbb013a88096a7e7609bce 29 main/binary-all/Packages.gz + cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e 0 main/source/Sources + d7f9bcff224a2f752a7a98daa7b6c8f90d1689d96e393a1f2312c308e40a8ea546b2044f8e943e8804c1e3668bcfd335ca68392e22ade043e761eecd5d94f3e2 28 main/source/Sources.gz + +-----BEGIN PGP SIGNATURE----- +Version: BSN Pgp v1.0.0.0 + +iQEcBAEBCAAGBQJl2S1YAAoJEOs+lK2+EinP7iMH/0ld9KRAlQjfAna/qjqdy6+c +Rek5mHBCpmdHtwUQq4KwZFBpesqGDdqYX8XQO2ukXlYTlSFRZVM9jbF/D0vnhPwr +shahdAHDCs7RPhLryctZWft0pB7vf3PmX/lCkqoCyoyN4/I60Gu7H5D/CJePq2gB +7dr3iSlUjbzTpKZ//fuZuQ7F3dCDa4m9/In4bZLW0qp37yBYygaAH7IwVeXvvOBL +uHBuiuRNEy5NfhUDmnHgv1PAnRKvhHSJk1TuYlYttM7/WX/Uia7qdY/7RUvDf9eX +VCXBMjvtMK3egidkX4CT8irYuK0Sg7hasY+2vqG6+TX3Qdyeg+Kse7pd9MGY91M= +-----END PGP SIGNATURE----- |