diff options
author | Kai Michaelis <kai@sequoia-pgp.org> | 2019-01-17 16:04:24 +0100 |
---|---|---|
committer | Kai Michaelis <kai@sequoia-pgp.org> | 2019-01-17 19:02:43 +0100 |
commit | a42be8e74e576c871157aabe6894427347cbd117 (patch) | |
tree | 9381562ca66ba1851daf1be42fe548026b98bbc1 /sqv | |
parent | ddf8b43b70e9b89237fe8a8f946582ed7878e367 (diff) |
sqv: check if a key wasn't revoked at signature ctime.
Closes #44
Diffstat (limited to 'sqv')
-rw-r--r-- | sqv/src/sqv.rs | 24 | ||||
-rw-r--r-- | sqv/tests/data/rev-unrev-msg.txt | 1 | ||||
-rw-r--r-- | sqv/tests/data/rev-unrev-t1-t2.sig | bin | 0 -> 119 bytes | |||
-rw-r--r-- | sqv/tests/data/rev-unrev-t2-t3.sig | bin | 0 -> 119 bytes | |||
-rw-r--r-- | sqv/tests/data/rev-unrev-t3-now.sig | bin | 0 -> 119 bytes | |||
-rw-r--r-- | sqv/tests/data/revoked-unrevoked.key | bin | 0 -> 440 bytes | |||
-rw-r--r-- | sqv/tests/revoked-key.rs | 46 |
7 files changed, 70 insertions, 1 deletions
diff --git a/sqv/src/sqv.rs b/sqv/src/sqv.rs index a1f0c523..ca11d035 100644 --- a/sqv/src/sqv.rs +++ b/sqv/src/sqv.rs @@ -14,7 +14,7 @@ use std::process::exit; use std::fs::File; use std::collections::{HashMap, HashSet}; -use openpgp::{TPK, Packet, packet::Signature, KeyID}; +use openpgp::{TPK, Packet, packet::Signature, KeyID, RevocationStatus}; use openpgp::constants::HashAlgorithm; use openpgp::parse::{Parse, PacketParserResult, PacketParser}; use openpgp::tpk::TPKParser; @@ -251,6 +251,28 @@ fn real_main() -> Result<(), failure::Error> { issuer); break; } + + // check key was valid at sig creation time + let binding = tpk + .subkeys() + .find(|s| { + s.subkey().fingerprint() == key.fingerprint() + }); + if let Some(binding) = binding { + if binding.revoked(t) != RevocationStatus::NotAsFarAsWeKnow { + eprintln!( + "Key was revoked when the signature \ + was created."); + break; + } + } + + if tpk.revoked(t) != RevocationStatus::NotAsFarAsWeKnow { + eprintln!( + "Primary key was revoked when the \ + signature was created."); + break; + } } else { eprintln!( "Signature by {} does not contain \ diff --git a/sqv/tests/data/rev-unrev-msg.txt b/sqv/tests/data/rev-unrev-msg.txt new file mode 100644 index 00000000..1856e9be --- /dev/null +++ b/sqv/tests/data/rev-unrev-msg.txt @@ -0,0 +1 @@ +Hello, World
\ No newline at end of file diff --git a/sqv/tests/data/rev-unrev-t1-t2.sig b/sqv/tests/data/rev-unrev-t1-t2.sig Binary files differnew file mode 100644 index 00000000..812bd623 --- /dev/null +++ b/sqv/tests/data/rev-unrev-t1-t2.sig diff --git a/sqv/tests/data/rev-unrev-t2-t3.sig b/sqv/tests/data/rev-unrev-t2-t3.sig Binary files differnew file mode 100644 index 00000000..3a3b0de7 --- /dev/null +++ b/sqv/tests/data/rev-unrev-t2-t3.sig diff --git a/sqv/tests/data/rev-unrev-t3-now.sig b/sqv/tests/data/rev-unrev-t3-now.sig Binary files differnew file mode 100644 index 00000000..79ff5b11 --- /dev/null +++ b/sqv/tests/data/rev-unrev-t3-now.sig diff --git a/sqv/tests/data/revoked-unrevoked.key b/sqv/tests/data/revoked-unrevoked.key Binary files differnew file mode 100644 index 00000000..6ebb9ee6 --- /dev/null +++ b/sqv/tests/data/revoked-unrevoked.key diff --git a/sqv/tests/revoked-key.rs b/sqv/tests/revoked-key.rs new file mode 100644 index 00000000..f57831ff --- /dev/null +++ b/sqv/tests/revoked-key.rs @@ -0,0 +1,46 @@ +extern crate assert_cli; + +#[cfg(test)] +mod integration { + use assert_cli::Assert; + use std::path; + + #[test] + fn valid_at_signature_ctime() { + Assert::cargo_binary("sqv") + .current_dir(path::Path::new("tests").join("data")) + .with_args( + &["--keyring", + &"revoked-unrevoked.key", + &"rev-unrev-t1-t2.sig", + &"rev-unrev-msg.txt"]) + .stdout().is("5EC9 FDA7 E49B 0F43 F480 2DC7 2BD6 1C89 D633 7855") + .unwrap(); + } + + #[test] + fn revoked_at_signature_ctime() { + Assert::cargo_binary("sqv") + .current_dir(path::Path::new("tests").join("data")) + .with_args( + &["--keyring", + &"revoked-unrevoked.key", + &"rev-unrev-t2-t3.sig", + &"rev-unrev-msg.txt"]) + .fails() + .unwrap(); + } + + #[test] + fn valid_now() { + Assert::cargo_binary("sqv") + .current_dir(path::Path::new("tests").join("data")) + .with_args( + &["--keyring", + &"revoked-unrevoked.key", + &"rev-unrev-t3-now.sig", + &"rev-unrev-msg.txt"]) + .stdout().is("5EC9 FDA7 E49B 0F43 F480 2DC7 2BD6 1C89 D633 7855") + .unwrap(); + } +} |