diff --git a/crypto/keyring_message.go b/crypto/keyring_message.go index 1c429eb..999ed73 100644 --- a/crypto/keyring_message.go +++ b/crypto/keyring_message.go @@ -84,12 +84,13 @@ func (keyRing *KeyRing) SignDetached(message *PlainMessage) (*PGPSignature, erro // VerifyDetached verifies a PlainMessage with a detached PGPSignature // and returns a SignatureVerificationError if fails. func (keyRing *KeyRing) VerifyDetached(message *PlainMessage, signature *PGPSignature, verifyTime int64) error { - return verifySignature( + _, err := verifySignature( keyRing.entities, message.NewReader(), signature.GetBinary(), verifyTime, ) + return err } // SignDetachedEncrypted generates and returns a PGPMessage @@ -126,38 +127,16 @@ func (keyRing *KeyRing) VerifyDetachedEncrypted(message *PlainMessage, encrypted // returns the creation time of the signature if it succeeds // and returns a SignatureVerificationError if fails. func (keyRing *KeyRing) GetVerifiedSignatureTimestamp(message *PlainMessage, signature *PGPSignature, verifyTime int64) (int64, error) { - packets := packet.NewReader(bytes.NewReader(signature.Data)) - var err error - var p packet.Packet - for { - p, err = packets.Next() - if errors.Is(err, io.EOF) { - break - } - if err != nil { - continue - } - sigPacket, ok := p.(*packet.Signature) - if !ok { - continue - } - var outBuf bytes.Buffer - err = sigPacket.Serialize(&outBuf) - if err != nil { - continue - } - err = verifySignature( - keyRing.entities, - message.NewReader(), - outBuf.Bytes(), - verifyTime, - ) - if err != nil { - continue - } - return sigPacket.CreationTime.Unix(), nil + sigPacket, err := verifySignature( + keyRing.entities, + message.NewReader(), + signature.GetBinary(), + verifyTime, + ) + if err != nil { + return 0, err } - return 0, errors.Wrap(err, "gopenpgp: can't verify any signature packets") + return sigPacket.CreationTime.Unix(), nil } // ------ INTERNAL FUNCTIONS ------- diff --git a/crypto/keyring_streaming.go b/crypto/keyring_streaming.go index f742a9b..51ef80d 100644 --- a/crypto/keyring_streaming.go +++ b/crypto/keyring_streaming.go @@ -324,12 +324,13 @@ func (keyRing *KeyRing) VerifyDetachedStream( signature *PGPSignature, verifyTime int64, ) error { - return verifySignature( + _, err := verifySignature( keyRing.entities, message, signature.GetBinary(), verifyTime, ) + return err } // SignDetachedEncryptedStream generates and returns a PGPMessage diff --git a/crypto/signature.go b/crypto/signature.go index 3b15ba3..609b347 100644 --- a/crypto/signature.go +++ b/crypto/signature.go @@ -119,7 +119,7 @@ func verifyDetailsSignature(md *openpgp.MessageDetails, verifierKey *KeyRing) er } // verifySignature verifies if a signature is valid with the entity list. -func verifySignature(pubKeyEntries openpgp.EntityList, origText io.Reader, signature []byte, verifyTime int64) error { +func verifySignature(pubKeyEntries openpgp.EntityList, origText io.Reader, signature []byte, verifyTime int64) (*packet.Signature, error) { config := &packet.Config{} if verifyTime == 0 { config.Time = func() time.Time { @@ -134,9 +134,9 @@ func verifySignature(pubKeyEntries openpgp.EntityList, origText io.Reader, signa sig, signer, err := openpgp.VerifyDetachedSignatureAndHash(pubKeyEntries, origText, signatureReader, allowedHashes, config) - if signer != nil && (errors.Is(err, pgpErrors.ErrSignatureExpired) || errors.Is(err, pgpErrors.ErrKeyExpired)) { + if sig != nil && signer != nil && (errors.Is(err, pgpErrors.ErrSignatureExpired) || errors.Is(err, pgpErrors.ErrKeyExpired)) { if verifyTime == 0 { // Expiration check disabled - return nil + return sig, nil } // Maybe the creation time offset pushed it over the edge @@ -147,15 +147,15 @@ func verifySignature(pubKeyEntries openpgp.EntityList, origText io.Reader, signa _, err = signatureReader.Seek(0, io.SeekStart) if err != nil { - return newSignatureFailed() + return nil, newSignatureFailed() } sig, signer, err = openpgp.VerifyDetachedSignatureAndHash(pubKeyEntries, origText, signatureReader, allowedHashes, config) } if err != nil || sig == nil || signer == nil { - return newSignatureFailed() + return nil, newSignatureFailed() } - return nil + return sig, nil }