From 0615a66aced37594df3b005855d1970d555b5627 Mon Sep 17 00:00:00 2001 From: ryan Date: Thu, 19 Oct 2023 19:55:12 -0500 Subject: [PATCH] keyfork-shard: propagate errors when message signature validation fails --- keyfork-shard/src/openpgp/keyring.rs | 52 ++++++++++++++++++---------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/keyfork-shard/src/openpgp/keyring.rs b/keyfork-shard/src/openpgp/keyring.rs index db4352f..9610c3b 100644 --- a/keyfork-shard/src/openpgp/keyring.rs +++ b/keyfork-shard/src/openpgp/keyring.rs @@ -2,7 +2,7 @@ use super::openpgp::{ self, cert::Cert, packet::{PKESK, SKESK}, - parse::stream::{DecryptionHelper, VerificationHelper, MessageStructure}, + parse::stream::{DecryptionHelper, MessageLayer, MessageStructure, VerificationHelper}, KeyHandle, KeyID, }; @@ -48,32 +48,49 @@ impl Keyring { } pub fn get_cert_for_primary_keyid<'a>(&'a self, keyid: &KeyID) -> Option<&'a Cert> { - self - .full_certs - .iter() - .find(|cert| &cert.keyid() == keyid) + self.full_certs.iter().find(|cert| &cert.keyid() == keyid) } // NOTE: This can't return an iterator because iterators are all different types // and returning different types is naughty fn get_certs_for_pkesk<'a>(&'a self, pkesk: &'a PKESK) -> impl Iterator + 'a { self.full_certs.iter().filter(move |cert| { - pkesk.recipient().is_wildcard() - || cert.keys().any(|k| { - &k.keyid() == pkesk.recipient() - }) + pkesk.recipient().is_wildcard() || cert.keys().any(|k| &k.keyid() == pkesk.recipient()) }) } } impl VerificationHelper for &mut Keyring { - fn get_certs(&mut self, _ids: &[KeyHandle]) -> openpgp::Result> { - // TODO: no verification logic until we mark a cert as "root" - // this is the first cert in the metadata list - Ok(Vec::new()) + fn get_certs(&mut self, ids: &[KeyHandle]) -> openpgp::Result> { + Ok(ids + .iter() + .flat_map(|kh| { + self.root + .iter() + .filter(move |cert| &cert.key_handle() == kh) + }) + .cloned() + .collect()) } - fn check(&mut self, _structure: MessageStructure) -> openpgp::Result<()> { - // TODO: ensure that we have a "root" cert and assign it + fn check(&mut self, structure: MessageStructure) -> openpgp::Result<()> { + for layer in structure.into_iter() { + #[allow(unused_variables)] + match layer { + MessageLayer::Compression { algo } => {} + MessageLayer::Encryption { + sym_algo, + aead_algo, + } => {} + MessageLayer::SignatureGroup { results } => { + for result in results { + if let Err(e) = result { + // FIXME: anyhow leak + return Err(anyhow::anyhow!(e.to_string())); + } + } + } + } + } Ok(()) } } @@ -87,10 +104,7 @@ impl DecryptionHelper for &mut Keyring { mut decrypt: D, ) -> openpgp::Result> where - D: FnMut( - openpgp::types::SymmetricAlgorithm, - &openpgp::crypto::SessionKey, - ) -> bool, + D: FnMut(openpgp::types::SymmetricAlgorithm, &openpgp::crypto::SessionKey) -> bool, { // optimized route: use all locally stored certs for pkesk in pkesks {