keyfork-shard: propagate errors when message signature validation fails
This commit is contained in:
parent
4e64c73f21
commit
0615a66ace
|
@ -2,7 +2,7 @@ use super::openpgp::{
|
||||||
self,
|
self,
|
||||||
cert::Cert,
|
cert::Cert,
|
||||||
packet::{PKESK, SKESK},
|
packet::{PKESK, SKESK},
|
||||||
parse::stream::{DecryptionHelper, VerificationHelper, MessageStructure},
|
parse::stream::{DecryptionHelper, MessageLayer, MessageStructure, VerificationHelper},
|
||||||
KeyHandle, KeyID,
|
KeyHandle, KeyID,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -48,32 +48,49 @@ impl Keyring {
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn get_cert_for_primary_keyid<'a>(&'a self, keyid: &KeyID) -> Option<&'a Cert> {
|
pub fn get_cert_for_primary_keyid<'a>(&'a self, keyid: &KeyID) -> Option<&'a Cert> {
|
||||||
self
|
self.full_certs.iter().find(|cert| &cert.keyid() == keyid)
|
||||||
.full_certs
|
|
||||||
.iter()
|
|
||||||
.find(|cert| &cert.keyid() == keyid)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// NOTE: This can't return an iterator because iterators are all different types
|
// NOTE: This can't return an iterator because iterators are all different types
|
||||||
// and returning different types is naughty
|
// and returning different types is naughty
|
||||||
fn get_certs_for_pkesk<'a>(&'a self, pkesk: &'a PKESK) -> impl Iterator<Item = &Cert> + 'a {
|
fn get_certs_for_pkesk<'a>(&'a self, pkesk: &'a PKESK) -> impl Iterator<Item = &Cert> + 'a {
|
||||||
self.full_certs.iter().filter(move |cert| {
|
self.full_certs.iter().filter(move |cert| {
|
||||||
pkesk.recipient().is_wildcard()
|
pkesk.recipient().is_wildcard() || cert.keys().any(|k| &k.keyid() == pkesk.recipient())
|
||||||
|| cert.keys().any(|k| {
|
|
||||||
&k.keyid() == pkesk.recipient()
|
|
||||||
})
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl VerificationHelper for &mut Keyring {
|
impl VerificationHelper for &mut Keyring {
|
||||||
fn get_certs(&mut self, _ids: &[KeyHandle]) -> openpgp::Result<Vec<Cert>> {
|
fn get_certs(&mut self, ids: &[KeyHandle]) -> openpgp::Result<Vec<Cert>> {
|
||||||
// TODO: no verification logic until we mark a cert as "root"
|
Ok(ids
|
||||||
// this is the first cert in the metadata list
|
.iter()
|
||||||
Ok(Vec::new())
|
.flat_map(|kh| {
|
||||||
|
self.root
|
||||||
|
.iter()
|
||||||
|
.filter(move |cert| &cert.key_handle() == kh)
|
||||||
|
})
|
||||||
|
.cloned()
|
||||||
|
.collect())
|
||||||
|
}
|
||||||
|
fn check(&mut self, structure: MessageStructure) -> openpgp::Result<()> {
|
||||||
|
for layer in structure.into_iter() {
|
||||||
|
#[allow(unused_variables)]
|
||||||
|
match layer {
|
||||||
|
MessageLayer::Compression { algo } => {}
|
||||||
|
MessageLayer::Encryption {
|
||||||
|
sym_algo,
|
||||||
|
aead_algo,
|
||||||
|
} => {}
|
||||||
|
MessageLayer::SignatureGroup { results } => {
|
||||||
|
for result in results {
|
||||||
|
if let Err(e) = result {
|
||||||
|
// FIXME: anyhow leak
|
||||||
|
return Err(anyhow::anyhow!(e.to_string()));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
fn check(&mut self, _structure: MessageStructure) -> openpgp::Result<()> {
|
|
||||||
// TODO: ensure that we have a "root" cert and assign it
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -87,10 +104,7 @@ impl DecryptionHelper for &mut Keyring {
|
||||||
mut decrypt: D,
|
mut decrypt: D,
|
||||||
) -> openpgp::Result<Option<openpgp::Fingerprint>>
|
) -> openpgp::Result<Option<openpgp::Fingerprint>>
|
||||||
where
|
where
|
||||||
D: FnMut(
|
D: FnMut(openpgp::types::SymmetricAlgorithm, &openpgp::crypto::SessionKey) -> bool,
|
||||||
openpgp::types::SymmetricAlgorithm,
|
|
||||||
&openpgp::crypto::SessionKey,
|
|
||||||
) -> bool,
|
|
||||||
{
|
{
|
||||||
// optimized route: use all locally stored certs
|
// optimized route: use all locally stored certs
|
||||||
for pkesk in pkesks {
|
for pkesk in pkesks {
|
||||||
|
|
Loading…
Reference in New Issue