keyfork-shard: propagate errors when message signature validation fails

2023-10-19 19:55:12 -05:00 · 2023-10-19 19:55:12 -05:00 · 0615a66ace
parent 4e64c73f21
commit 0615a66ace
1 changed files with 33 additions and 19 deletions
--- a/keyfork-shard/src/openpgp/keyring.rs
+++ b/keyfork-shard/src/openpgp/keyring.rs
@ -2,7 +2,7 @@ use super::openpgp::{
    self,
    cert::Cert,
    packet::{PKESK, SKESK},
-    parse::stream::{DecryptionHelper, VerificationHelper, MessageStructure},
+    parse::stream::{DecryptionHelper, MessageLayer, MessageStructure, VerificationHelper},
    KeyHandle, KeyID,
 };

@ -48,32 +48,49 @@ impl Keyring {
    }

    pub fn get_cert_for_primary_keyid<'a>(&'a self, keyid: &KeyID) -> Option<&'a Cert> {
-        self
-            .full_certs
-            .iter()
-            .find(|cert| &cert.keyid() == keyid)
+        self.full_certs.iter().find(|cert| &cert.keyid() == keyid)
    }

    // NOTE: This can't return an iterator because iterators are all different types
    // and returning different types is naughty
    fn get_certs_for_pkesk<'a>(&'a self, pkesk: &'a PKESK) -> impl Iterator<Item = &Cert> + 'a {
        self.full_certs.iter().filter(move |cert| {
-            pkesk.recipient().is_wildcard()
-                || cert.keys().any(|k| {
-                    &k.keyid() == pkesk.recipient()
-                })
+            pkesk.recipient().is_wildcard() || cert.keys().any(|k| &k.keyid() == pkesk.recipient())
        })
    }
 }

 impl VerificationHelper for &mut Keyring {
-    fn get_certs(&mut self, _ids: &[KeyHandle]) -> openpgp::Result<Vec<Cert>> {
-        // TODO: no verification logic until we mark a cert as "root"
-        // this is the first cert in the metadata list
-        Ok(Vec::new())
+    fn get_certs(&mut self, ids: &[KeyHandle]) -> openpgp::Result<Vec<Cert>> {
+        Ok(ids
+            .iter()
+            .flat_map(|kh| {
+                self.root
+                    .iter()
+                    .filter(move |cert| &cert.key_handle() == kh)
+            })
+            .cloned()
+            .collect())
    }
-    fn check(&mut self, _structure: MessageStructure) -> openpgp::Result<()> {
-        // TODO: ensure that we have a "root" cert and assign it
+    fn check(&mut self, structure: MessageStructure) -> openpgp::Result<()> {
+        for layer in structure.into_iter() {
+            #[allow(unused_variables)]
+            match layer {
+                MessageLayer::Compression { algo } => {}
+                MessageLayer::Encryption {
+                    sym_algo,
+                    aead_algo,
+                } => {}
+                MessageLayer::SignatureGroup { results } => {
+                    for result in results {
+                        if let Err(e) = result {
+                            // FIXME: anyhow leak
+                            return Err(anyhow::anyhow!(e.to_string()));
+                        }
+                    }
+                }
+            }
+        }
        Ok(())
    }
 }
@ -87,10 +104,7 @@ impl DecryptionHelper for &mut Keyring {
        mut decrypt: D,
    ) -> openpgp::Result<Option<openpgp::Fingerprint>>
    where
-        D: FnMut(
-            openpgp::types::SymmetricAlgorithm,
-            &openpgp::crypto::SessionKey,
-        ) -> bool,
+        D: FnMut(openpgp::types::SymmetricAlgorithm, &openpgp::crypto::SessionKey) -> bool,
    {
        // optimized route: use all locally stored certs
        for pkesk in pkesks {