Merge pull request #39 from kushaldas/say_no_to_null_policy

Fixes #29 uses StandardPolicy everywhere
kushaldas · Oct 19, 2020 · 22264f6 · 22264f6
2 parents af57cc4 + a338850
commit 22264f6
Show file tree

Hide file tree

Showing 14 changed files with 712 additions and 1,202 deletions.
diff --git a/docs/introduction.rst b/docs/introduction.rst
@@ -42,6 +42,10 @@ Now, if we check the directory from the shell, we will find the keys imported th
         as the key store. `SecureDrop <https://securedrop.org>`_ uses **/var/lib/securedrop/store** as their key storage (via gpg's python binding).
 
 
+.. warning:: This module does not handle keys still using `sha1` or `md5` for hash algorithms. If you are using any such old key, please generate new key
+        and use them along wtih the module. `This function <https://docs.sequoia-pgp.org/sequoia_openpgp/policy/struct.StandardPolicy.html#method.reject_hash_at>`_ explains in some details why.
+
+
 KeyStore path for the applicaitons which can run per user
 ----------------------------------------------------------
 

diff --git a/src/lib.rs b/src/lib.rs
@@ -27,7 +27,6 @@ use crate::openpgp::parse::stream::{
 };
 
 use crate::openpgp::parse::Parse;
-use crate::openpgp::policy::NullPolicy as NP;
 use crate::openpgp::policy::Policy;
 use crate::openpgp::policy::StandardPolicy as P;
 use crate::openpgp::serialize::stream::{Encryptor, LiteralWriter, Message, Signer};
@@ -168,12 +167,12 @@ impl VerificationHelper for VHelper {
 
 // To create key pairs; from the given Cert
 fn get_keys(cert: &openpgp::cert::Cert, password: String) -> Vec<openpgp::crypto::KeyPair> {
-    let p = &NP::new();
+    let p = P::new();
 
     let mut keys = Vec::new();
     for key in cert
         .keys()
-        .with_policy(p, None)
+        .with_policy(&p, None)
         .alive()
         .revoked(false)
         .for_signing()
@@ -294,15 +293,15 @@ fn internal_parse_cert(
     py: Python,
     cert: openpgp::Cert,
 ) -> PyResult<(PyObject, String, bool, PyObject, PyObject)> {
-    let p = &NP::new();
+    let p = P::new();
     let creationtime = match find_creation_time(cert.clone()) {
         Some(ctime) => Some(PyDateTime::from_timestamp(py, ctime, None).unwrap()),
         None => None,
     };
 
     let expirationtime = match cert
         .primary_key()
-        .with_policy(p, None)
+        .with_policy(&p, None)
         .unwrap()
         .key_expiration_time()
     {
@@ -447,10 +446,10 @@ fn encrypt_bytes_to_file(
     }
     let mode = KeyFlags::empty().set_storage_encryption();
 
-    let p = &NP::new();
+    let p = P::new();
     let recipients = certs.iter().flat_map(|cert| {
         cert.keys()
-            .with_policy(p, None)
+            .with_policy(&p, None)
             .alive()
             .revoked(false)
             .key_flags(&mode)
@@ -608,10 +607,10 @@ fn encrypt_bytes_to_bytes(
 
     let mode = KeyFlags::empty().set_storage_encryption();
 
-    let p = &NP::new();
+    let p = P::new();
     let recipients = certs.iter().flat_map(|cert| {
         cert.keys()
-            .with_policy(p, None)
+            .with_policy(&p, None)
             .alive()
             .revoked(false)
             .key_flags(&mode)
@@ -677,11 +676,11 @@ impl Johnny {
         armor: Option<bool>,
     ) -> PyResult<PyObject> {
         let mode = KeyFlags::empty().set_storage_encryption();
-        let p = &NP::new();
+        let p = P::new();
         let recipients = self
             .cert
             .keys()
-            .with_policy(p, None)
+            .with_policy(&p, None)
             .alive()
             .revoked(false)
             .key_flags(&mode);
@@ -726,7 +725,7 @@ impl Johnny {
     }
 
     pub fn decrypt_bytes(&self, py: Python, data: Vec<u8>, password: String) -> PyResult<PyObject> {
-        let p = &NP::new();
+        let p = P::new();
 
         let mut result = Vec::new();
         let reader = std::io::BufReader::new(&data[..]);
@@ -741,7 +740,7 @@ impl Johnny {
                 )))
             }
         };
-        let mut decryptor = match dec2.with_policy(p, None, Helper::new(p, &self.cert, &password)) {
+        let mut decryptor = match dec2.with_policy(&p, None, Helper::new(&p, &self.cert, &password)) {
             Ok(decr) => decr,
             Err(msg) => return Err(PyValueError::new_err(format!("Failed to decrypt: {}", msg))),
         };
@@ -825,14 +824,14 @@ impl Johnny {
         output: Vec<u8>,
         password: String,
     ) -> PyResult<bool> {
-        let p = &NP::new();
+        let p = P::new();
 
         let input = File::open(str::from_utf8(&filepath[..]).unwrap()).unwrap();
         let mut outfile = File::create(str::from_utf8(&output[..]).unwrap()).unwrap();
 
         let mut decryptor = DecryptorBuilder::from_reader(input)
             .unwrap()
-            .with_policy(p, None, Helper::new(p, &self.cert, &password))
+            .with_policy(&p, None, Helper::new(&p, &self.cert, &password))
             .unwrap();
         std::io::copy(&mut decryptor, &mut outfile).unwrap();
         Ok(true)
@@ -850,23 +849,23 @@ impl Johnny {
     }
 
     pub fn verify_bytes(&self, data: Vec<u8>, sig: Vec<u8>) -> PyResult<bool> {
-        let p = &P::new();
+        let p = P::new();
         let vh = VHelper::new(&self.cert);
         let mut v = DetachedVerifierBuilder::from_bytes(&sig[..])
             .unwrap()
-            .with_policy(p, None, vh)
+            .with_policy(&p, None, vh)
             .unwrap();
         match v.verify_bytes(data) {
             Ok(()) => return Ok(true),
             Err(_) => return Ok(false),
         };
     }
     pub fn verify_file(&self, filepath: Vec<u8>, sig: Vec<u8>) -> PyResult<bool> {
-        let p = &P::new();
+        let p = P::new();
         let vh = VHelper::new(&self.cert);
         let mut v = DetachedVerifierBuilder::from_bytes(&sig[..])
             .unwrap()
-            .with_policy(p, None, vh)
+            .with_policy(&p, None, vh)
             .unwrap();
         let path = Path::new(str::from_utf8(&filepath[..]).unwrap());
         match v.verify_file(path) {

diff --git a/tests/files/double_recipient.asc b/tests/files/double_recipient.asc
@@ -1,28 +1,19 @@
 -----BEGIN PGP MESSAGE-----
 
-hQIMA3bn6DMj2aOvAQ//emjQs3K7ULFskf6IQqlXKVghq2Mby4tNm075tvH59dmb
-0ZyPToTsJf0AVJ+i7l//UDtrK+cbN5qoIyqXKtZAiaVeg+y9sTPFGUZiWPy7OHlg
-p8WPhpibhFSpxS5MLLsyXPyF0VFSSo64kKlzS/IXZBx03IOZfCo3ESfUnX4Hor8F
-VfMsd0mfqjgRSMyySQaPxy8pbUh7+UizSO1nB6e0z/nZfORWOxUWj7Eir2bmWDCX
-nZa0WtkRpThLbnqZ7SbNaHjhsopxwUX3wCAa2QkP+GdenX1HI3RmnnXrhhKl7KSQ
-jELMMiadsMlQB/Y720peP8X4b2dIz2TKNatnk1z61pzdsQFAzlcXcEoGtwhiIW10
-YjvXFQtXocME/uhwMnrYv/pj2StQCAufcgED+hTx04+qYZ2p5YMPrffVYpPiyeWv
-Cv+O/Xe9wcv+NZimlm8k/2woPTfSOdPuEbikkDpyXEN9kfb4Ox6ydKG97k1lsq3Y
-NQ27KJu4zSNfstbAdbnI+JFE8AYs6mJ7vYuS1mmoH1CfSGv3pHchoEuJXlWduZUw
-kGB+TeGIYlKzJpvD4ObB8hSTSzVQbeGVJJf9JPWlvSRS+3fr1cuhkLDyE8RoYsVs
-KQQUcXvrVsBLQ+ejLjY3Ie48UERtN9bMxvLcbZpEMEO5tv5GJbmiSkkLYLZDUXGF
-AgwDPOFwEVz0Mi4BEACHRqH76coWhFtEMZ8/tT6bZbecsUO/CLdD64akABVpHQMp
-LCRmqBwj9Lh4b6d55kMqv5+UzwsCeGp+oUPLkTe16myKyL6ux6Bkqsmy6MzaQY9L
-syC6Q298mhf09Bgaa0C0xpdArUJOr2dDo6zW8gnTeDo6SxOdNHZMqhT5e40sUk0r
-F2s1DgytkT/Km3jtzSB9Ic1Zg1QAtzplSVjA5+5Z1X8k/9LodPFCaU1XsD3fC8Iz
-7m2v9BIEmoz8eEj3iSKD+GVYG4V+J2gLWSVXAB5zxvzY0TJuIkP/1IF6aOLX7xNP
-VVy/1k+ply94gtab3byejooJBHWwGnQQ4KIG4qYpOYyZcnGbkvfpTQPndOj567uK
-UP9801AXQQjc++un6dq8JMSmru62UhFfdZQWVHyIV2eYjEqAPJKg2+WyhMd6hgOH
-7OP5OPaMF0cxwVO91dr7D3Muv/F+lNstOZBEGUHB+Aty+9M1rzIdLeqP64ckeLSC
-KLcB6v8mR890kgouTuYYzd0vxiduhwnJVwrSVo5ltYX5bAgSZCXlEnBRp0KnzFFy
-q2qA3AWUGEtIccw5qpxBvJxwCsYKgy9HHDByEZsWgbLsRcZs/7c9p8g4KEAnFlk4
-uLqHLdIpDM41If+XqDQ+avK6K1+p5fLZUyC2ZlugRNRA2O59IMLfy9ydHArXM9JB
-AfyubWeI+QtJQ28z1uJ2cwtScYNAPc1kcQBhn4TxRwvjzYxwOgCkCaVcECXiS0Y9
-pOXnmVv6tZ+l3m4ICqd4Wg0=
-=yx6K
+wcFMAxz5gLjmnhEqAQ//YZnhm5K1buTitBUdxImhvggeZx7QfcguCzlRpOEljiVi
+bjNZLHHfbfUJ02gKjCjYfjnMIRmPV6qP75ghEFfG64HBMqYyl8jA1xbW0YEWuo5R
+SqWaL/p+jSy4+7z7Bv+79M4MggDZLEz85xFR6cv6/dPRxU7o/ZlGJPtnkvVs1zRb
+Wo8TC+RuSAymq/52GlxfedgbXCbu/zePquFnMjpXldTLHrXNrk2ms4g8I84WyHyt
+X8ell0hPqexZ2DD1YaQYqgw0M72CE8p5z4mnUYQTKEE0t7c1whec8bu4whd/d3JQ
+8SrgFGVXO1ub/tYXFhJPAeCRRW14mCX4I84M8I8qXnFSu7WzmX5hXYqFoXgBCpvw
+fmMGPA0fmjNg0FI3FhJw2Kw9BJPKcgfBm8alH+/JHs6CLr5rh9xi9SWoXgsLLtis
+qlqvHSelnct7m66gxhU5EJAAAkz5C2HKrqdX6dSgmyu2hBmHjxlEIUyGE+CrkT0b
+9X/N0hG4bJTFyAiCHaXae/XVNVUYPMjvH55YRewEscF1QLOspma9SGWwtBPLCzTj
+sFrKl9RmjddZ/pfdrPaSY3nBBrZrtpBtuTu1Zv7hJu8FTR6nR8o5oKhdbr6dUgZF
+MNot2Jh2BwMFPcrhT7NEsTudVpUaI79JvtmBai+aHfavFunk1LZSfGE4RWc9sjHB
+XgNaehVg1G7U9hIBB0COOjyp1mCj9Ifz6x6VVwypi+kMsHsrUt8r2jBETUHlejDE
+zu/HJtuqqdJcKtMA982UlQUUwTaR2dWybatJW1jS4E2F5iEijizqniaUEvcI2aDS
+TwEGQp8GNrDCSieYKFLmV08VNho0Vyryb0hRx8jJj4vUqVOM4pmhYm8NP1LyP3BB
+t8aYGlBrupTo4lMALSM88o1ISY+wJizDP4Or/VJjf9c=
+=/YC3
 -----END PGP MESSAGE-----