sqv: check if a key wasn't revoked at signature ctime.

Closes #44
author: Kai Michaelis <kai@sequoia-pgp.org> 2019-01-17 16:04:24 +0100
committer: Kai Michaelis <kai@sequoia-pgp.org> 2019-01-17 19:02:43 +0100
commit: a42be8e74e576c871157aabe6894427347cbd117 (patch)
tree: 9381562ca66ba1851daf1be42fe548026b98bbc1 /sqv
parent: ddf8b43b70e9b89237fe8a8f946582ed7878e367 (diff)
7 files changed, 70 insertions, 1 deletions
diff --git a/sqv/src/sqv.rs b/sqv/src/sqv.rs
index a1f0c523..ca11d035 100644
--- a/sqv/src/sqv.rs
+++ b/sqv/src/sqv.rs
@@ -14,7 +14,7 @@ use std::process::exit;
 use std::fs::File;
 use std::collections::{HashMap, HashSet};
 
-use openpgp::{TPK, Packet, packet::Signature, KeyID};
+use openpgp::{TPK, Packet, packet::Signature, KeyID, RevocationStatus};
 use openpgp::constants::HashAlgorithm;
 use openpgp::parse::{Parse, PacketParserResult, PacketParser};
 use openpgp::tpk::TPKParser;
@@ -251,6 +251,28 @@ fn real_main() -> Result<(), failure::Error> {
                                         issuer);
                                     break;
                                 }
+
+                                // check key was valid at sig creation time
+                                let binding = tpk
+                                    .subkeys()
+                                    .find(|s| {
+                                        s.subkey().fingerprint() == key.fingerprint()
+                                    });
+                                if let Some(binding) = binding {
+                                    if binding.revoked(t) != RevocationStatus::NotAsFarAsWeKnow {
+                                        eprintln!(
+                                            "Key was revoked when the signature \
+                                             was created.");
+                                        break;
+                                    }
+                                }
+
+                                if tpk.revoked(t) != RevocationStatus::NotAsFarAsWeKnow {
+                                    eprintln!(
+                                        "Primary key was revoked when the \
+                                         signature was created.");
+                                    break;
+                                }
                             } else {
                                 eprintln!(
                                     "Signature by {} does not contain \
diff --git a/sqv/tests/data/rev-unrev-msg.txt b/sqv/tests/data/rev-unrev-msg.txt
new file mode 100644
index 00000000..1856e9be
--- /dev/null
+++ b/sqv/tests/data/rev-unrev-msg.txt
@@ -0,0 +1 @@
+Hello, World
+\ No newline at end of file
diff --git a/sqv/tests/data/rev-unrev-t1-t2.sig b/sqv/tests/data/rev-unrev-t1-t2.sig
new file mode 100644
index 00000000..812bd623
--- /dev/null
+++ b/sqv/tests/data/rev-unrev-t1-t2.sig
diff --git a/sqv/tests/data/rev-unrev-t2-t3.sig b/sqv/tests/data/rev-unrev-t2-t3.sig
new file mode 100644
index 00000000..3a3b0de7
--- /dev/null
+++ b/sqv/tests/data/rev-unrev-t2-t3.sig
diff --git a/sqv/tests/data/rev-unrev-t3-now.sig b/sqv/tests/data/rev-unrev-t3-now.sig
new file mode 100644
index 00000000..79ff5b11
--- /dev/null
+++ b/sqv/tests/data/rev-unrev-t3-now.sig
diff --git a/sqv/tests/data/revoked-unrevoked.key b/sqv/tests/data/revoked-unrevoked.key
new file mode 100644
index 00000000..6ebb9ee6
--- /dev/null
+++ b/sqv/tests/data/revoked-unrevoked.key
diff --git a/sqv/tests/revoked-key.rs b/sqv/tests/revoked-key.rs
new file mode 100644
index 00000000..f57831ff
--- /dev/null
+++ b/sqv/tests/revoked-key.rs
@@ -0,0 +1,46 @@
+extern crate assert_cli;
+
+#[cfg(test)]
+mod integration {
+    use assert_cli::Assert;
+    use std::path;
+
+    #[test]
+    fn valid_at_signature_ctime() {
+        Assert::cargo_binary("sqv")
+            .current_dir(path::Path::new("tests").join("data"))
+            .with_args(
+                &["--keyring",
+                  &"revoked-unrevoked.key",
+                  &"rev-unrev-t1-t2.sig",
+                  &"rev-unrev-msg.txt"])
+            .stdout().is("5EC9 FDA7 E49B 0F43 F480  2DC7 2BD6 1C89 D633 7855")
+            .unwrap();
+    }
+
+    #[test]
+    fn revoked_at_signature_ctime() {
+        Assert::cargo_binary("sqv")
+            .current_dir(path::Path::new("tests").join("data"))
+            .with_args(
+                &["--keyring",
+                  &"revoked-unrevoked.key",
+                  &"rev-unrev-t2-t3.sig",
+                  &"rev-unrev-msg.txt"])
+            .fails()
+            .unwrap();
+    }
+
+    #[test]
+    fn valid_now() {
+        Assert::cargo_binary("sqv")
+            .current_dir(path::Path::new("tests").join("data"))
+            .with_args(
+                &["--keyring",
+                  &"revoked-unrevoked.key",
+                  &"rev-unrev-t3-now.sig",
+                  &"rev-unrev-msg.txt"])
+            .stdout().is("5EC9 FDA7 E49B 0F43 F480  2DC7 2BD6 1C89 D633 7855")
+            .unwrap();
+    }
+}
author	Kai Michaelis <kai@sequoia-pgp.org>	2019-01-17 16:04:24 +0100
committer	Kai Michaelis <kai@sequoia-pgp.org>	2019-01-17 19:02:43 +0100
commit	a42be8e74e576c871157aabe6894427347cbd117 (patch)
tree	9381562ca66ba1851daf1be42fe548026b98bbc1 /sqv
parent	ddf8b43b70e9b89237fe8a8f946582ed7878e367 (diff)