Check all user IDs, not just self-signed user IDs.
- When checking if a user ID was already signed, don't just check valid self-signed user IDs.
This commit is contained in:
parent
7dee04b9b3
commit
43db8fa44c
@ -10,7 +10,6 @@ use chrono::Utc;
|
||||
use sequoia_openpgp as openpgp;
|
||||
use openpgp::Cert;
|
||||
use openpgp::Result;
|
||||
use openpgp::cert::amalgamation::ValidAmalgamation;
|
||||
use openpgp::packet::prelude::*;
|
||||
use openpgp::packet::signature::subpacket::NotationData;
|
||||
use openpgp::packet::signature::subpacket::NotationDataFlags;
|
||||
@ -201,8 +200,6 @@ The certifier is the same as the certificate to certify."));
|
||||
if the trust depth is greater than 0"));
|
||||
}
|
||||
|
||||
let vc = cert.with_policy(sq.policy, sq.time)?;
|
||||
|
||||
// Get the signer to certify with.
|
||||
let mut signer = sq.get_certification_key(certifier, None)?;
|
||||
|
||||
@ -299,7 +296,7 @@ The certifier is the same as the certificate to certify."));
|
||||
.map(|(userid, active_certification)| {
|
||||
let userid_str = || String::from_utf8_lossy(userid.value());
|
||||
|
||||
if let Some(ua) = vc.userids().find(|ua| ua.userid() == &userid) {
|
||||
if let Some(ua) = cert.userids().find(|ua| ua.userid() == &userid) {
|
||||
if retract {
|
||||
// Check if we certified it.
|
||||
if ! ua.certifications().any(|c| {
|
||||
@ -313,7 +310,9 @@ The certifier is the same as the certificate to certify."));
|
||||
return Ok(vec![ Packet::from(userid.clone()) ]);
|
||||
}
|
||||
} else {
|
||||
if let RevocationStatus::Revoked(_) = ua.revocation_status() {
|
||||
if let RevocationStatus::Revoked(_)
|
||||
= ua.revocation_status(sq.policy, sq.time)
|
||||
{
|
||||
// It's revoked.
|
||||
if user_supplied_userids {
|
||||
// It was explicitly mentioned. Return an
|
||||
|
@ -651,3 +651,38 @@ fn sq_pki_link_add_temporary() -> Result<()> {
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn retract_non_self_signed() {
|
||||
// Make sure we can retract non-self signed user IDs.
|
||||
let mut sq = Sq::new();
|
||||
|
||||
let alice_userid = "Alice <alice@example.org>";
|
||||
let (alice, alice_pgp, _) = sq.key_generate(&[], &[alice_userid]);
|
||||
sq.key_import(&alice_pgp);
|
||||
|
||||
let petname = "Mon chouchou";
|
||||
|
||||
let msg = artifact("messages/a-cypherpunks-manifesto.txt");
|
||||
let sig_msg = sq.scratch_file(None);
|
||||
let sig_msg = sig_msg.as_path();
|
||||
let sig_msg_str = sig_msg.display().to_string();
|
||||
sq.sign(alice.key_handle(), None, &msg, sig_msg);
|
||||
|
||||
// Verifying should fail: alice's certificate is not linked at all.
|
||||
sq_verify(&sq, None, &[], &[], &sig_msg_str, 0, 1);
|
||||
|
||||
// Link a non-self-signed user ID.
|
||||
sq.tick(1);
|
||||
sq.pki_link_add(&["--add-userid"], alice.key_handle(), petname);
|
||||
|
||||
// Now it should work.
|
||||
sq_verify(&sq, None, &[], &[], &sig_msg_str, 1, 0);
|
||||
|
||||
// Retract the link.
|
||||
sq.tick(1);
|
||||
sq_retract(&sq, &alice.fingerprint().to_string(), &[petname], &[]);
|
||||
|
||||
// Now it should fail.
|
||||
sq_verify(&sq, None, &[], &[], &sig_msg_str, 0, 1);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user