diff options
| author | Justus Winter <justus@sequoia-pgp.org> | 2020-01-24 12:13:52 +0100 |
|---|---|---|
| committer | Justus Winter <justus@sequoia-pgp.org> | 2020-01-24 12:16:14 +0100 |
| commit | a3510fd98f5aabf26ce3d3c76b249090386279c4 (patch) | |
| tree | ac2cce09d5bed82337925e453b07fc0acbd586ce | |
| parent | 8e9697ec8a788eecd007f9b45a7f26a952725b19 (diff) | |
openpgp: Fix Cert::set_expiry.
- Do not emit two direct key signatures on userid-less
certificates. Extend test to demonstrate this.
| -rw-r--r-- | openpgp/src/cert/mod.rs | 55 |
1 files changed, 52 insertions, 3 deletions
diff --git a/openpgp/src/cert/mod.rs b/openpgp/src/cert/mod.rs index aa465f57..06d97a0e 100644 --- a/openpgp/src/cert/mod.rs +++ b/openpgp/src/cert/mod.rs @@ -531,8 +531,18 @@ impl Cert { { let primary = self.primary_key().policy(now)?; let mut sigs = Vec::new(); + let binding = primary.binding_signature(); for template in [ - Some(primary.binding_signature()), + // The primary key's binding signature might be the direct + // key signature. To avoid generating two new direct key + // signatures, check that we do have in fact a userid + // binding signature. + if binding.typ() != SignatureType::DirectKey { + // Userid binding signature. + Some(binding) + } else { + None + }, primary.direct_key_signature(), ].iter().filter_map(|&x| x) { // Recompute the signature. @@ -1818,11 +1828,49 @@ mod test { fn set_expiry() { let (cert, _) = CertBuilder::autocrypt(None, Some("Test")) .generate().unwrap(); - + assert_eq!(cert.clone().into_packet_pile().children().count(), + 1 // primary key + + 1 // direct key signature + + 1 // userid + + 1 // binding signature + + 1 // subkey + + 1 // binding signature + ); + let cert = check_set_expiry(cert); + assert_eq!(cert.clone().into_packet_pile().children().count(), + 1 // primary key + + 1 // direct key signature + + 2 // two new direct key signatures + + 1 // userid + + 1 // binding signature + + 2 // two new binding signatures + + 1 // subkey + + 1 // binding signature + ); + } + #[test] + fn set_expiry_uidless() { + let (cert, _) = CertBuilder::new() + .set_expiration(None) // Just to assert this works. + .set_expiration( + Some(crate::types::Duration::weeks(52).unwrap().into())) + .generate().unwrap(); + assert_eq!(cert.clone().into_packet_pile().children().count(), + 1 // primary key + + 1 // direct key signature + ); + let cert = check_set_expiry(cert); + assert_eq!(cert.clone().into_packet_pile().children().count(), + 1 // primary key + + 1 // direct key signature + + 2 // two new direct key signatures + ); + } + fn check_set_expiry(cert: Cert) -> Cert { let now = cert.primary_key().creation_time(); let a_sec = time::Duration::new(1, 0); - let expiry_orig = cert.primary_key().policy(None).unwrap() + let expiry_orig = cert.primary_key().policy(now).unwrap() .key_expiration_time() .expect("Keys expire by default."); @@ -1881,6 +1929,7 @@ mod test { .key_expiration_time(), Some(expiry_new)); } + cert } #[test] |