From c36fe0a1b14dce01c7ddb7e05e5add4f85e2eef1 Mon Sep 17 00:00:00 2001
From: ryan <ryan@distrust.co>
Date: Sun, 11 Aug 2024 18:57:43 -0400
Subject: [PATCH] keyfork-shard: re-enable standard policy, alive check still
 disabled, add check for encryption keys when discovering certs

---
 crates/keyfork-shard/src/openpgp.rs | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/crates/keyfork-shard/src/openpgp.rs b/crates/keyfork-shard/src/openpgp.rs
index 11f759a..04c25f5 100644
--- a/crates/keyfork-shard/src/openpgp.rs
+++ b/crates/keyfork-shard/src/openpgp.rs
@@ -25,7 +25,7 @@ use openpgp::{
         stream::{DecryptionHelper, DecryptorBuilder, VerificationHelper},
         Parse,
     },
-    policy::{NullPolicy, Policy},
+    policy::{NullPolicy, StandardPolicy, Policy},
     serialize::{
         stream::{ArbitraryWriter, Encryptor2, LiteralWriter, Message, Recipient, Signer},
         Marshal,
@@ -77,6 +77,10 @@ pub enum Error {
     /// An IO error occurred.
     #[error("IO error: {0}")]
     Io(#[source] std::io::Error),
+
+    /// No valid keys were found for the given recipient.
+    #[error("No valid keys were found for the recipient {0}")]
+    NoValidKeys(KeyID),
 }
 
 #[allow(missing_docs)]
@@ -239,6 +243,13 @@ impl<P: PromptHandler> OpenPGP<P> {
                 certs.insert(certfp, cert);
             }
         }
+        for cert in certs.values() {
+            let policy = StandardPolicy::new();
+            let valid_cert = cert.with_policy(&policy, None).map_err(Error::Sequoia)?;
+            if get_encryption_keys(&valid_cert).next().is_none() {
+                return Err(Error::NoValidKeys(valid_cert.keyid()))
+            }
+        }
         Ok(certs.into_values().collect())
     }
 }
@@ -276,7 +287,7 @@ impl<P: PromptHandler> Format for OpenPGP<P> {
         key_data: &[Self::PublicKey],
         threshold: u8,
     ) -> Result<Self::EncryptedData, Self::Error> {
-        let policy = NullPolicy::new();
+        let policy = StandardPolicy::new();
         let mut pp = vec![SHARD_METADATA_VERSION, threshold];
         // Note: Sequoia does not export private keys on a Cert, only on a TSK
         signing_key
@@ -362,7 +373,7 @@ impl<P: PromptHandler> Format for OpenPGP<P> {
         public_key: &Cert,
         signing_key: &mut Self::SigningKey,
     ) -> Result<EncryptedMessage> {
-        let policy = NullPolicy::new();
+        let policy = StandardPolicy::new();
         let valid_cert = public_key
             .with_policy(&policy, None)
             .map_err(Error::Sequoia)?;