Change sq pki link retract to use the NULL policy.

- Change `sq pki link retract` to use the NULL policy when resolving user IDs. It's safer to retract a link for a user ID than to refuse.
2024-11-24 22:01:06 +01:00 · 2024-11-24 22:01:06 +01:00 · be5b1f7103
commit be5b1f7103
parent 4763cfef48
2 changed files with 51 additions and 2 deletions
--- a/src/commands/pki/link.rs
+++ b/src/commands/pki/link.rs
@ -11,6 +11,7 @@ use cert_store::{LazyCert, Store};

 use crate::Sq;
 use crate::commands::active_certification;
+use crate::common::NULL_POLICY;
 use crate::parse_notations;

 use crate::cli::pki::link;
@ -134,7 +135,7 @@ pub fn retract(sq: Sq, c: link::RetractCommand)
    let (cert, _source)
        = sq.resolve_cert(&c.cert, sequoia_wot::FULLY_TRUSTED)?;

-    let vc = cert.with_policy(sq.policy, Some(sq.time))?;
+    let vc = cert.with_policy(NULL_POLICY, Some(sq.time))?;
    let mut userids = c.userids.resolve(&vc)?;

    let user_supplied_userids = if userids.is_empty() {
--- a/tests/integration/sq_pki_link.rs
+++ b/tests/integration/sq_pki_link.rs
@ -1,3 +1,4 @@
+use std::collections::BTreeSet;
 use std::path::{Path, PathBuf};
 use std::process::ExitStatus;
 use std::sync::{Mutex, OnceLock};
@ -8,14 +9,15 @@ use sequoia_openpgp as openpgp;
 use openpgp::KeyHandle;
 use openpgp::Result;
 use openpgp::Cert;
+use openpgp::parse::Parse;

 use super::common::FileOrKeyHandle;
 use super::common::NO_USERIDS;
 use super::common::Sq;
+use super::common::STANDARD_POLICY;
 use super::common::UserIDArg;
 use super::common::artifact;

-
 // We are going to replace certifications, and we want to make sure
 // that the newest one is the active one.  This means ensuring that
 // the newer one has a newer timestamp.  To avoid sleeping for a
@ -685,6 +687,52 @@ fn retract_non_self_signed() {
    sq_verify(&sq, None, &[], &[], &sig_msg_str, 0, 1);
 }

+#[test]
+fn retract_weak() {
+    // Make sure we can retract signed user IDs whose binding
+    // signatures rely on weak cryptography from a valid certificate.
+    let sq = Sq::new();
+
+    let cert_path = sq.test_data()
+        .join("keys")
+        .join("sha1-userid-priv.pgp");
+    sq.key_import(&cert_path);
+
+    let cert = Cert::from_file(&cert_path).expect("can read");
+
+    // Make sure the user ID is there and really uses SHA-1.
+    let vc = cert.with_policy(STANDARD_POLICY, sq.now())
+        .expect("valid cert");
+    let valid_userids: BTreeSet<_> = vc.userids()
+        .map(|ua| ua.userid())
+        .collect();
+    let all_userids: BTreeSet<_> = cert.userids()
+        .map(|ua| ua.userid())
+        .collect();
+
+    assert!(valid_userids.len() < all_userids.len());
+
+    let weak_userids: Vec<_>
+        = all_userids.difference(&valid_userids)
+        .map(|u| {
+            String::from_utf8_lossy(u.value()).to_string()
+        })
+        .collect();
+    let weak_userids: Vec<&String> = weak_userids.iter().collect();
+
+    // The current policy doesn't allow SHA-1.
+    assert!(
+        sq.pki_link_add_maybe(&[], cert.key_handle(), &weak_userids)
+            .is_err());
+
+    // But the policy as of 2003 did.
+    sq.pki_link_add(&["--policy-as-of", "2003-01-01"],
+                    cert.key_handle(), &weak_userids);
+
+    // Retract.
+    sq.pki_link_retract(&[], cert.key_handle(), &weak_userids[..]);
+}
+
 #[test]
 fn retract_all() {
    // Link all self-signed user IDs and a non-self-signed user ID.