diff options
| author | Neal H. Walfield <neal@pep.foundation> | 2019-11-09 23:55:02 +0100 |
|---|---|---|
| committer | Neal H. Walfield <neal@pep.foundation> | 2019-11-10 00:05:23 +0100 |
| commit | b8e5ef908ee211daee84a0782a115ae7fc003ec0 (patch) | |
| tree | 360698ced26dc36aad015e11b89137d613b89208 /openpgp | |
| parent | 365862ed513057900c0d6c106ec51dff0a09693e (diff) | |
openpgp: Distinguish bad signatures from those that are not alive.
- Return a different `VerificationResult` for signatures that are
not alive (BadSignature) from signatures that are actually
bad (BadCheck).
Diffstat (limited to 'openpgp')
| -rw-r--r-- | openpgp/examples/decrypt-with.rs | 6 | ||||
| -rw-r--r-- | openpgp/examples/generate-sign-verify.rs | 3 | ||||
| -rw-r--r-- | openpgp/src/parse/stream.rs | 45 |
3 files changed, 36 insertions, 18 deletions
diff --git a/openpgp/examples/decrypt-with.rs b/openpgp/examples/decrypt-with.rs index ad8920c0..4b5d231a 100644 --- a/openpgp/examples/decrypt-with.rs +++ b/openpgp/examples/decrypt-with.rs @@ -131,6 +131,12 @@ impl VerificationHelper for Helper { .expect("good checksum has an issuer"); eprintln!("Good signature from {}", issuer); }, + NotAlive(ref sig) => { + let issuer = sig.issuer() + .expect("not alive has an issuer"); + eprintln!("Good, but not alive signature from {}", + issuer); + }, MissingKey(ref sig) => { let issuer = sig.issuer() .expect("missing key checksum has an \ diff --git a/openpgp/examples/generate-sign-verify.rs b/openpgp/examples/generate-sign-verify.rs index 8dae191c..bddacc71 100644 --- a/openpgp/examples/generate-sign-verify.rs +++ b/openpgp/examples/generate-sign-verify.rs @@ -108,6 +108,9 @@ impl<'a> VerificationHelper for Helper<'a> { match results.get(0) { Some(VerificationResult::GoodChecksum(..)) => good = true, + Some(VerificationResult::NotAlive(..)) => + return Err(failure::err_msg( + "Signature good, but not alive")), Some(VerificationResult::MissingKey(_)) => return Err(failure::err_msg( "Missing key to verify signature")), diff --git a/openpgp/src/parse/stream.rs b/openpgp/src/parse/stream.rs index 29e3e85e..4d07b483 100644 --- a/openpgp/src/parse/stream.rs +++ b/openpgp/src/parse/stream.rs @@ -152,6 +152,12 @@ pub enum VerificationResult<'a> { &'a key::UnspecifiedPublic, Option<&'a Signature>, RevocationStatus<'a>), + /// The signature is good, but it is not alive at the specified + /// time. + /// + /// See `SubpacketAreas::signature_alive` for a definition of + /// liveness. + NotAlive(Signature), /// Unable to verify the signature because the key is missing. MissingKey(Signature), /// The signature is bad. @@ -164,6 +170,7 @@ impl<'a> VerificationResult<'a> { use self::VerificationResult::*; match self { &GoodChecksum(ref sig, ..) => sig.level(), + &NotAlive(ref sig, ..) => sig.level(), &MissingKey(ref sig) => sig.level(), &BadChecksum(ref sig) => sig.level(), } @@ -597,33 +604,34 @@ impl<'a, H: VerificationHelper> Verifier<'a, H> { IMessageLayer::SignatureGroup { sigs, .. } => { results.new_signature_group(); for sig in sigs.into_iter() { - results.push_verification_result( - if let Some(issuer) = sig.get_issuer() { - if let Some((i, j)) = - self.keys.get(&issuer) - { - let tpk = &self.tpks[*i]; - let (binding, revocation, key) - = tpk.keys_all().nth(*j) - .unwrap(); - if sig.verify(key).unwrap_or(false) - && sig.signature_alive(self.time) - { + let r = if let Some(issuer) = sig.get_issuer() { + if let Some((i, j)) = + self.keys.get(&issuer) + { + let tpk = &self.tpks[*i]; + let (binding, revocation, key) + = tpk.keys_all().nth(*j).unwrap(); + if sig.verify(key).unwrap_or(false) { + if sig.signature_alive(self.time) { VerificationResult::GoodChecksum (sig, tpk, key, binding, revocation) + } else if !sig.signature_alive(self.time) { + VerificationResult::NotAlive(sig) } else { - VerificationResult::BadChecksum - (sig) + VerificationResult::BadChecksum(sig) } } else { - VerificationResult::MissingKey(sig) + VerificationResult::BadChecksum(sig) } } else { - // No issuer. - VerificationResult::BadChecksum(sig) + VerificationResult::MissingKey(sig) } - ) + } else { + // No issuer. + VerificationResult::BadChecksum(sig) + }; + results.push_verification_result(r) } }, } @@ -1614,6 +1622,7 @@ mod test { match result { GoodChecksum(..) => self.good += 1, MissingKey(_) => self.unknown += 1, + NotAlive(_) => self.bad += 1, BadChecksum(_) => self.bad += 1, } } |