openpgp: Keep the error from the most recent binding signature.

- Change ComponentBundle::binding_signature to return the error from the most recent binding signature that wasn't created after `t`, rather than the error from the oldest binding signature. - Imagine we have two binding signatures: the more recent one is not expired, but rejected by the policy, and the older one is expired. The error from the more recent binding signature is probably more relevant.
author: Neal H. Walfield <neal@pep.foundation> 2020-04-03 11:47:05 +0200
committer: Neal H. Walfield <neal@pep.foundation> 2020-04-03 11:51:10 +0200
commit: 5dcd7da9f497f53a8271f2dbd923b52f230cec31 (patch)
tree: f173d0316b24d4e6680d2c77467940cea76dcea7
parent: 1c7f9c3869ab64c70c29bb4567b65a2d030b582e (diff)
1 files changed, 23 insertions, 4 deletions
diff --git a/openpgp/src/cert/bundle.rs b/openpgp/src/cert/bundle.rs
index e3ce02d7..85a36b0e 100644
--- a/openpgp/src/cert/bundle.rs
+++ b/openpgp/src/cert/bundle.rs
@@ -4,6 +4,7 @@ use std::time;
 use std::ops::Deref;
 
 use crate::{
+    Error,
     packet::Signature,
     packet::Key,
     packet::key,
@@ -163,15 +164,27 @@ impl<C> ComponentBundle<C> {
             };
 
         let mut sig = None;
-        let mut error = crate::Error::NoBindingSignature(t).into();
+
+        // Prefer the first error, which is the error arising from the
+        // most recent binding signature that wasn't created after
+        // `t`.
+        let mut error = None;
+
         for s in self.self_signatures[i..].iter() {
             if let Err(e) = s.signature_alive(t, time::Duration::new(0, 0)) {
-                error = e;
+                // We know that t >= signature's creation time.  So,
+                // it is expired.  But an older signature might not
+                // be.  So, keep trying.
+                if error.is_none() {
+                    error = Some(e);
+                }
                 continue;
             }
 
             if let Err(e) = policy.signature(s) {
-                error = e;
+                if error.is_none() {
+                    error = Some(e);
+                }
                 continue;
             }
 
@@ -179,7 +192,13 @@ impl<C> ComponentBundle<C> {
             break;
         }
 
-        sig.ok_or(error)
+        if let Some(sig) = sig {
+            Ok(sig)
+        } else if let Some(err) = error {
+            Err(err)
+        } else {
+            Err(Error::NoBindingSignature(t).into())
+        }
     }
 
     /// The self-signatures.
author	Neal H. Walfield <neal@pep.foundation>	2020-04-03 11:47:05 +0200
committer	Neal H. Walfield <neal@pep.foundation>	2020-04-03 11:51:10 +0200
commit	5dcd7da9f497f53a8271f2dbd923b52f230cec31 (patch)
tree	f173d0316b24d4e6680d2c77467940cea76dcea7
parent	1c7f9c3869ab64c70c29bb4567b65a2d030b582e (diff)