keyfork-shard: propagate errors when message signature validation fails

This commit is contained in:
Ryan Heywood 2023-10-19 19:55:12 -05:00
parent 4e64c73f21
commit 0615a66ace
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
1 changed files with 33 additions and 19 deletions

View File

@ -2,7 +2,7 @@ use super::openpgp::{
self, self,
cert::Cert, cert::Cert,
packet::{PKESK, SKESK}, packet::{PKESK, SKESK},
parse::stream::{DecryptionHelper, VerificationHelper, MessageStructure}, parse::stream::{DecryptionHelper, MessageLayer, MessageStructure, VerificationHelper},
KeyHandle, KeyID, KeyHandle, KeyID,
}; };
@ -48,32 +48,49 @@ impl Keyring {
} }
pub fn get_cert_for_primary_keyid<'a>(&'a self, keyid: &KeyID) -> Option<&'a Cert> { pub fn get_cert_for_primary_keyid<'a>(&'a self, keyid: &KeyID) -> Option<&'a Cert> {
self self.full_certs.iter().find(|cert| &cert.keyid() == keyid)
.full_certs
.iter()
.find(|cert| &cert.keyid() == keyid)
} }
// NOTE: This can't return an iterator because iterators are all different types // NOTE: This can't return an iterator because iterators are all different types
// and returning different types is naughty // and returning different types is naughty
fn get_certs_for_pkesk<'a>(&'a self, pkesk: &'a PKESK) -> impl Iterator<Item = &Cert> + 'a { fn get_certs_for_pkesk<'a>(&'a self, pkesk: &'a PKESK) -> impl Iterator<Item = &Cert> + 'a {
self.full_certs.iter().filter(move |cert| { self.full_certs.iter().filter(move |cert| {
pkesk.recipient().is_wildcard() pkesk.recipient().is_wildcard() || cert.keys().any(|k| &k.keyid() == pkesk.recipient())
|| cert.keys().any(|k| {
&k.keyid() == pkesk.recipient()
})
}) })
} }
} }
impl VerificationHelper for &mut Keyring { impl VerificationHelper for &mut Keyring {
fn get_certs(&mut self, _ids: &[KeyHandle]) -> openpgp::Result<Vec<Cert>> { fn get_certs(&mut self, ids: &[KeyHandle]) -> openpgp::Result<Vec<Cert>> {
// TODO: no verification logic until we mark a cert as "root" Ok(ids
// this is the first cert in the metadata list .iter()
Ok(Vec::new()) .flat_map(|kh| {
self.root
.iter()
.filter(move |cert| &cert.key_handle() == kh)
})
.cloned()
.collect())
} }
fn check(&mut self, _structure: MessageStructure) -> openpgp::Result<()> { fn check(&mut self, structure: MessageStructure) -> openpgp::Result<()> {
// TODO: ensure that we have a "root" cert and assign it for layer in structure.into_iter() {
#[allow(unused_variables)]
match layer {
MessageLayer::Compression { algo } => {}
MessageLayer::Encryption {
sym_algo,
aead_algo,
} => {}
MessageLayer::SignatureGroup { results } => {
for result in results {
if let Err(e) = result {
// FIXME: anyhow leak
return Err(anyhow::anyhow!(e.to_string()));
}
}
}
}
}
Ok(()) Ok(())
} }
} }
@ -87,10 +104,7 @@ impl DecryptionHelper for &mut Keyring {
mut decrypt: D, mut decrypt: D,
) -> openpgp::Result<Option<openpgp::Fingerprint>> ) -> openpgp::Result<Option<openpgp::Fingerprint>>
where where
D: FnMut( D: FnMut(openpgp::types::SymmetricAlgorithm, &openpgp::crypto::SessionKey) -> bool,
openpgp::types::SymmetricAlgorithm,
&openpgp::crypto::SessionKey,
) -> bool,
{ {
// optimized route: use all locally stored certs // optimized route: use all locally stored certs
for pkesk in pkesks { for pkesk in pkesks {