keyfork-shard: re-enable standard policy, alive check still disabled, add check for encryption keys when discovering certs

2024-08-11 18:57:43 -04:00 · 2024-08-11 18:57:43 -04:00 · c36fe0a1b1
parent c25c11d1a0
commit c36fe0a1b1
1 changed files with 14 additions and 3 deletions
--- a/crates/keyfork-shard/src/openpgp.rs
+++ b/crates/keyfork-shard/src/openpgp.rs
@ -25,7 +25,7 @@ use openpgp::{
        stream::{DecryptionHelper, DecryptorBuilder, VerificationHelper},
        Parse,
    },
-    policy::{NullPolicy, Policy},
+    policy::{NullPolicy, StandardPolicy, Policy},
    serialize::{
        stream::{ArbitraryWriter, Encryptor2, LiteralWriter, Message, Recipient, Signer},
        Marshal,
@ -77,6 +77,10 @@ pub enum Error {
    /// An IO error occurred.
    #[error("IO error: {0}")]
    Io(#[source] std::io::Error),
+
+    /// No valid keys were found for the given recipient.
+    #[error("No valid keys were found for the recipient {0}")]
+    NoValidKeys(KeyID),
 }

 #[allow(missing_docs)]
@ -239,6 +243,13 @@ impl<P: PromptHandler> OpenPGP<P> {
                certs.insert(certfp, cert);
            }
        }
+        for cert in certs.values() {
+            let policy = StandardPolicy::new();
+            let valid_cert = cert.with_policy(&policy, None).map_err(Error::Sequoia)?;
+            if get_encryption_keys(&valid_cert).next().is_none() {
+                return Err(Error::NoValidKeys(valid_cert.keyid()))
+            }
+        }
        Ok(certs.into_values().collect())
    }
 }
@ -276,7 +287,7 @@ impl<P: PromptHandler> Format for OpenPGP<P> {
        key_data: &[Self::PublicKey],
        threshold: u8,
    ) -> Result<Self::EncryptedData, Self::Error> {
-        let policy = NullPolicy::new();
+        let policy = StandardPolicy::new();
        let mut pp = vec![SHARD_METADATA_VERSION, threshold];
        // Note: Sequoia does not export private keys on a Cert, only on a TSK
        signing_key
@ -362,7 +373,7 @@ impl<P: PromptHandler> Format for OpenPGP<P> {
        public_key: &Cert,
        signing_key: &mut Self::SigningKey,
    ) -> Result<EncryptedMessage> {
-        let policy = NullPolicy::new();
+        let policy = StandardPolicy::new();
        let valid_cert = public_key
            .with_policy(&policy, None)
            .map_err(Error::Sequoia)?;