Use Entitiy.EncryptionKey instead of reimplementing it
This fixes us sometimes using subkeys whose key flags allow encryption but don't have a valid algorithm for encryption, or that are expired, etc.
This commit is contained in:
Daniel Huigens
parent
e65ed17b41
commit
781681b548
4 changed files with 6 additions and 58 deletions
|
|
@ -8,7 +8,6 @@ import (
|
|||
"fmt"
|
||||
"math/big"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/ProtonMail/gopenpgp/armor"
|
||||
"github.com/ProtonMail/gopenpgp/constants"
|
||||
|
|
@ -25,46 +24,10 @@ func (pgp *GopenPGP) IsKeyExpired(publicKey []byte) (bool, error) {
|
|||
if err != nil {
|
||||
return true, err
|
||||
}
|
||||
candidateSubkey := -1
|
||||
for _, e := range pubKeyEntries {
|
||||
var maxTime time.Time
|
||||
for i, subkey := range e.Subkeys {
|
||||
if subkey.Sig.FlagsValid &&
|
||||
subkey.Sig.FlagEncryptCommunications &&
|
||||
subkey.PublicKey.PubKeyAlgo.CanEncrypt() &&
|
||||
!subkey.PublicKey.KeyExpired(subkey.Sig, now) &&
|
||||
(maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) {
|
||||
candidateSubkey = i
|
||||
maxTime = subkey.Sig.CreationTime
|
||||
}
|
||||
}
|
||||
|
||||
if candidateSubkey != -1 {
|
||||
if _, ok := e.EncryptionKey(now); ok {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// If we don't have any candidate subkeys for encryption and
|
||||
// the primary key doesn't have any usage metadata then we
|
||||
// assume that the primary key is ok. Or, if the primary key is
|
||||
// marked as ok to encrypt to, then we can obviously use it.
|
||||
var firstIdentity *openpgp.Identity
|
||||
for _, ident := range e.Identities {
|
||||
if firstIdentity == nil {
|
||||
firstIdentity = ident
|
||||
}
|
||||
if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
|
||||
firstIdentity = ident
|
||||
break
|
||||
}
|
||||
}
|
||||
if firstIdentity != nil {
|
||||
i := firstIdentity
|
||||
if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications &&
|
||||
e.PrimaryKey.PubKeyAlgo.CanEncrypt() &&
|
||||
!e.PrimaryKey.KeyExpired(i.SelfSignature, now) {
|
||||
return false, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
return true, errors.New("keys expired")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@ import (
|
|||
"fmt"
|
||||
"io"
|
||||
|
||||
"golang.org/x/crypto/openpgp"
|
||||
"golang.org/x/crypto/openpgp/packet"
|
||||
)
|
||||
|
||||
|
|
@ -70,22 +69,8 @@ func (keyRing *KeyRing) EncryptSessionKey(sessionSplit *SymmetricKey) ([]byte, e
|
|||
|
||||
var pub *packet.PublicKey
|
||||
for _, e := range keyRing.GetEntities() {
|
||||
for _, subKey := range e.Subkeys {
|
||||
if !subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications {
|
||||
pub = subKey.PublicKey
|
||||
break
|
||||
}
|
||||
}
|
||||
if pub == nil && len(e.Identities) > 0 {
|
||||
var i *openpgp.Identity
|
||||
for _, i = range e.Identities {
|
||||
break
|
||||
}
|
||||
if i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptStorage || i.SelfSignature.FlagEncryptCommunications {
|
||||
pub = e.PrimaryKey
|
||||
}
|
||||
}
|
||||
if pub != nil {
|
||||
if encryptionKey, ok := e.EncryptionKey(pgp.getNow()); ok {
|
||||
pub = encryptionKey.PublicKey
|
||||
break
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue