Check all user IDs, not just self-signed user IDs.

- When checking if a user ID was already signed, don't just check
    valid self-signed user IDs.
This commit is contained in:
Neal H. Walfield 2024-10-15 18:29:51 +02:00
parent 7dee04b9b3
commit 43db8fa44c
No known key found for this signature in database
GPG Key ID: 6863C9AD5B4D22D3
2 changed files with 39 additions and 5 deletions

View File

@ -10,7 +10,6 @@ use chrono::Utc;
use sequoia_openpgp as openpgp;
use openpgp::Cert;
use openpgp::Result;
use openpgp::cert::amalgamation::ValidAmalgamation;
use openpgp::packet::prelude::*;
use openpgp::packet::signature::subpacket::NotationData;
use openpgp::packet::signature::subpacket::NotationDataFlags;
@ -201,8 +200,6 @@ The certifier is the same as the certificate to certify."));
if the trust depth is greater than 0"));
}
let vc = cert.with_policy(sq.policy, sq.time)?;
// Get the signer to certify with.
let mut signer = sq.get_certification_key(certifier, None)?;
@ -299,7 +296,7 @@ The certifier is the same as the certificate to certify."));
.map(|(userid, active_certification)| {
let userid_str = || String::from_utf8_lossy(userid.value());
if let Some(ua) = vc.userids().find(|ua| ua.userid() == &userid) {
if let Some(ua) = cert.userids().find(|ua| ua.userid() == &userid) {
if retract {
// Check if we certified it.
if ! ua.certifications().any(|c| {
@ -313,7 +310,9 @@ The certifier is the same as the certificate to certify."));
return Ok(vec![ Packet::from(userid.clone()) ]);
}
} else {
if let RevocationStatus::Revoked(_) = ua.revocation_status() {
if let RevocationStatus::Revoked(_)
= ua.revocation_status(sq.policy, sq.time)
{
// It's revoked.
if user_supplied_userids {
// It was explicitly mentioned. Return an

View File

@ -651,3 +651,38 @@ fn sq_pki_link_add_temporary() -> Result<()> {
Ok(())
}
#[test]
fn retract_non_self_signed() {
// Make sure we can retract non-self signed user IDs.
let mut sq = Sq::new();
let alice_userid = "Alice <alice@example.org>";
let (alice, alice_pgp, _) = sq.key_generate(&[], &[alice_userid]);
sq.key_import(&alice_pgp);
let petname = "Mon chouchou";
let msg = artifact("messages/a-cypherpunks-manifesto.txt");
let sig_msg = sq.scratch_file(None);
let sig_msg = sig_msg.as_path();
let sig_msg_str = sig_msg.display().to_string();
sq.sign(alice.key_handle(), None, &msg, sig_msg);
// Verifying should fail: alice's certificate is not linked at all.
sq_verify(&sq, None, &[], &[], &sig_msg_str, 0, 1);
// Link a non-self-signed user ID.
sq.tick(1);
sq.pki_link_add(&["--add-userid"], alice.key_handle(), petname);
// Now it should work.
sq_verify(&sq, None, &[], &[], &sig_msg_str, 1, 0);
// Retract the link.
sq.tick(1);
sq_retract(&sq, &alice.fingerprint().to_string(), &[petname], &[]);
// Now it should fail.
sq_verify(&sq, None, &[], &[], &sig_msg_str, 0, 1);
}