diff options
author | Neal H. Walfield <neal@pep.foundation> | 2020-04-03 11:47:05 +0200 |
---|---|---|
committer | Neal H. Walfield <neal@pep.foundation> | 2020-04-03 11:51:10 +0200 |
commit | 5dcd7da9f497f53a8271f2dbd923b52f230cec31 (patch) | |
tree | f173d0316b24d4e6680d2c77467940cea76dcea7 | |
parent | 1c7f9c3869ab64c70c29bb4567b65a2d030b582e (diff) |
openpgp: Keep the error from the most recent binding signature.
- Change ComponentBundle::binding_signature to return the error from
the most recent binding signature that wasn't created after `t`,
rather than the error from the oldest binding signature.
- Imagine we have two binding signatures: the more recent one is not
expired, but rejected by the policy, and the older one is expired.
The error from the more recent binding signature is probably more
relevant.
-rw-r--r-- | openpgp/src/cert/bundle.rs | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/openpgp/src/cert/bundle.rs b/openpgp/src/cert/bundle.rs index e3ce02d7..85a36b0e 100644 --- a/openpgp/src/cert/bundle.rs +++ b/openpgp/src/cert/bundle.rs @@ -4,6 +4,7 @@ use std::time; use std::ops::Deref; use crate::{ + Error, packet::Signature, packet::Key, packet::key, @@ -163,15 +164,27 @@ impl<C> ComponentBundle<C> { }; let mut sig = None; - let mut error = crate::Error::NoBindingSignature(t).into(); + + // Prefer the first error, which is the error arising from the + // most recent binding signature that wasn't created after + // `t`. + let mut error = None; + for s in self.self_signatures[i..].iter() { if let Err(e) = s.signature_alive(t, time::Duration::new(0, 0)) { - error = e; + // We know that t >= signature's creation time. So, + // it is expired. But an older signature might not + // be. So, keep trying. + if error.is_none() { + error = Some(e); + } continue; } if let Err(e) = policy.signature(s) { - error = e; + if error.is_none() { + error = Some(e); + } continue; } @@ -179,7 +192,13 @@ impl<C> ComponentBundle<C> { break; } - sig.ok_or(error) + if let Some(sig) = sig { + Ok(sig) + } else if let Some(err) = error { + Err(err) + } else { + Err(Error::NoBindingSignature(t).into()) + } } /// The self-signatures. |