diff options
author | Neal H. Walfield <neal@pep.foundation> | 2020-01-15 09:27:08 +0100 |
---|---|---|
committer | Neal H. Walfield <neal@pep.foundation> | 2020-01-15 09:27:08 +0100 |
commit | ac684b9685dd634323ee6fe073ae0dfb1d3aea89 (patch) | |
tree | 617c31d10418f618f3d2a5937e6a7f16aff5d07d /openpgp/src | |
parent | ebe746be2c7b2ccc8b6a7b98bdf84ee286b86c6f (diff) |
openpgp: When verifying a sig, make sure the certificate is good.
- The streaming verifier needs to check not only that the key is
alive and non-revoked, but also that the certificate is alive and
non-revoked.
Diffstat (limited to 'openpgp/src')
-rw-r--r-- | openpgp/src/parse/stream.rs | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/openpgp/src/parse/stream.rs b/openpgp/src/parse/stream.rs index 87bac054..7102d04b 100644 --- a/openpgp/src/parse/stream.rs +++ b/openpgp/src/parse/stream.rs @@ -705,18 +705,32 @@ impl<'a, H: VerificationHelper> Verifier<'a, H> { .key_handles(issuers.iter()) }) { - err = if let Err(err) = ka.alive() { + err = if let Err(err) = ka.cert_alive() { VerificationResult::Error { sig: sig.clone(), error: err, } + } else if let Err(err) = ka.alive() { + VerificationResult::Error { + sig: sig.clone(), + error: err, + } + } else if destructures_to!( + RevocationStatus::Revoked(_) = ka.cert_revoked()) + { + VerificationResult::Error { + sig: sig.clone(), + error: Error::InvalidKey( + "certificate is revoked".into()) + .into(), + } } else if destructures_to!( RevocationStatus::Revoked(_) = ka.revoked()) { VerificationResult::Error { sig: sig.clone(), error: Error::InvalidKey( - "key is revoked".into()) + "signing key is revoked".into()) .into(), } } else if ! ka.for_signing() { |