From 781681b548932b4b6850c51bad5109f4e9c9ce5e Mon Sep 17 00:00:00 2001 From: Daniel Huigens Date: Thu, 23 May 2019 16:36:24 +0200 Subject: [PATCH] Use Entitiy.EncryptionKey instead of reimplementing it This fixes us sometimes using subkeys whose key flags allow encryption but don't have a valid algorithm for encryption, or that are expired, etc. --- crypto/key.go | 39 +-------------------------------------- crypto/session.go | 19 ++----------------- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 6 insertions(+), 58 deletions(-) diff --git a/crypto/key.go b/crypto/key.go index dfa1347..23ea8f4 100644 --- a/crypto/key.go +++ b/crypto/key.go @@ -8,7 +8,6 @@ import ( "fmt" "math/big" "strings" - "time" "github.com/ProtonMail/gopenpgp/armor" "github.com/ProtonMail/gopenpgp/constants" @@ -25,46 +24,10 @@ func (pgp *GopenPGP) IsKeyExpired(publicKey []byte) (bool, error) { if err != nil { return true, err } - candidateSubkey := -1 for _, e := range pubKeyEntries { - var maxTime time.Time - for i, subkey := range e.Subkeys { - if subkey.Sig.FlagsValid && - subkey.Sig.FlagEncryptCommunications && - subkey.PublicKey.PubKeyAlgo.CanEncrypt() && - !subkey.PublicKey.KeyExpired(subkey.Sig, now) && - (maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) { - candidateSubkey = i - maxTime = subkey.Sig.CreationTime - } - } - - if candidateSubkey != -1 { + if _, ok := e.EncryptionKey(now); ok { return false, nil } - - // If we don't have any candidate subkeys for encryption and - // the primary key doesn't have any usage metadata then we - // assume that the primary key is ok. Or, if the primary key is - // marked as ok to encrypt to, then we can obviously use it. - var firstIdentity *openpgp.Identity - for _, ident := range e.Identities { - if firstIdentity == nil { - firstIdentity = ident - } - if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId { - firstIdentity = ident - break - } - } - if firstIdentity != nil { - i := firstIdentity - if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications && - e.PrimaryKey.PubKeyAlgo.CanEncrypt() && - !e.PrimaryKey.KeyExpired(i.SelfSignature, now) { - return false, nil - } - } } return true, errors.New("keys expired") } diff --git a/crypto/session.go b/crypto/session.go index 41aaaaa..54e3c41 100644 --- a/crypto/session.go +++ b/crypto/session.go @@ -6,7 +6,6 @@ import ( "fmt" "io" - "golang.org/x/crypto/openpgp" "golang.org/x/crypto/openpgp/packet" ) @@ -70,22 +69,8 @@ func (keyRing *KeyRing) EncryptSessionKey(sessionSplit *SymmetricKey) ([]byte, e var pub *packet.PublicKey for _, e := range keyRing.GetEntities() { - for _, subKey := range e.Subkeys { - if !subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications { - pub = subKey.PublicKey - break - } - } - if pub == nil && len(e.Identities) > 0 { - var i *openpgp.Identity - for _, i = range e.Identities { - break - } - if i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptStorage || i.SelfSignature.FlagEncryptCommunications { - pub = e.PrimaryKey - } - } - if pub != nil { + if encryptionKey, ok := e.EncryptionKey(pgp.getNow()); ok { + pub = encryptionKey.PublicKey break } } diff --git a/go.mod b/go.mod index 12854de..c36ec1a 100644 --- a/go.mod +++ b/go.mod @@ -8,4 +8,4 @@ require ( golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f ) -replace golang.org/x/crypto => github.com/ProtonMail/crypto v0.0.0-20190427044656-efb430e751f2 +replace golang.org/x/crypto => github.com/ProtonMail/crypto v0.0.0-20190604143603-d3d8a14a4d4f diff --git a/go.sum b/go.sum index 9bdfdda..24bf1bd 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -github.com/ProtonMail/crypto v0.0.0-20190427044656-efb430e751f2 h1:AKtmaNbSAHE/YsFKiizxHLwTizqGYZXuOaAe15Qy8SE= -github.com/ProtonMail/crypto v0.0.0-20190427044656-efb430e751f2/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +github.com/ProtonMail/crypto v0.0.0-20190604143603-d3d8a14a4d4f h1:cFhATQTJGK2iZ0dc+jRhr75mh6bsc5Ug6NliaBya8Kw= +github.com/ProtonMail/crypto v0.0.0-20190604143603-d3d8a14a4d4f/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= github.com/ProtonMail/go-mime v0.0.0-20190521135552-09454e3dbe72 h1:hGCc4Oc2fD3I5mNnZ1VlREncVc9EXJF8dxW3sw16gWM= github.com/ProtonMail/go-mime v0.0.0-20190521135552-09454e3dbe72/go.mod h1:NYt+V3/4rEeDuaev/zw1zCq8uqVEuPHzDPo3OZrlGJ4= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=