if primary key is invalid, so are subkeys

2018-03-12 23:17:07 +01:00 · 2018-03-12 23:17:07 +01:00 · 38508b33d1
commit 38508b33d1
parent a94ca90653
2 changed files with 32 additions and 57 deletions
--- a/src/key.js
+++ b/src/key.js
@ -269,19 +269,20 @@ function isValidSigningKeyPacket(keyPacket, signature, date=new Date()) {
 */
 Key.prototype.getSigningKeyPacket = async function (keyId=null, date=new Date()) {
  const primaryKey = this.primaryKey;
-  const primaryUser = await this.getPrimaryUser(date);
-  if (primaryUser && (!keyId || primaryKey.getKeyId().equals(keyId)) &&
-      isValidSigningKeyPacket(primaryKey, primaryUser.selfCertification, date) &&
-      await this.verifyPrimaryKey(date)) {
-    return primaryKey;
-  }
-  for (let i = 0; i < this.subKeys.length; i++) {
-    if (!keyId || this.subKeys[i].subKey.getKeyId().equals(keyId)) {
-      // eslint-disable-next-line no-await-in-loop
-      await this.subKeys[i].verify(primaryKey, date);
-      for (let j = 0; j < this.subKeys[i].bindingSignatures.length; j++) {
-        if (isValidSigningKeyPacket(this.subKeys[i].subKey, this.subKeys[i].bindingSignatures[j], date)) {
-          return this.subKeys[i].subKey;
+  if (await this.verifyPrimaryKey(date) === enums.keyStatus.valid) {
+    const primaryUser = await this.getPrimaryUser(date);
+    if (primaryUser && (!keyId || primaryKey.getKeyId().equals(keyId)) &&
+        isValidSigningKeyPacket(primaryKey, primaryUser.selfCertification, date)) {
+      return primaryKey;
+    }
+    for (let i = 0; i < this.subKeys.length; i++) {
+      if (!keyId || this.subKeys[i].subKey.getKeyId().equals(keyId)) {
+        // eslint-disable-next-line no-await-in-loop
+        await this.subKeys[i].verify(primaryKey, date);
+        for (let j = 0; j < this.subKeys[i].bindingSignatures.length; j++) {
+          if (isValidSigningKeyPacket(this.subKeys[i].subKey, this.subKeys[i].bindingSignatures[j], date)) {
+            return this.subKeys[i].subKey;
+          }
        }
      }
    }
@ -314,25 +315,26 @@ function isValidEncryptionKeyPacket(keyPacket, signature, date=new Date()) {
 */
 Key.prototype.getEncryptionKeyPacket = async function(keyId, date=new Date()) {
  const primaryKey = this.primaryKey;
-  // V4: by convention subkeys are preferred for encryption service
-  // V3: keys MUST NOT have subkeys
-  for (let i = 0; i < this.subKeys.length; i++) {
-    if (!keyId || this.subKeys[i].subKey.getKeyId().equals(keyId)) {
-      // eslint-disable-next-line no-await-in-loop
-      await this.subKeys[i].verify(primaryKey, date);
-      for (let j = 0; j < this.subKeys[i].bindingSignatures.length; j++) {
-        if (isValidEncryptionKeyPacket(this.subKeys[i].subKey, this.subKeys[i].bindingSignatures[j], date)) {
-          return this.subKeys[i].subKey;
+  if (await this.verifyPrimaryKey(date) === enums.keyStatus.valid) {
+    // V4: by convention subkeys are preferred for encryption service
+    // V3: keys MUST NOT have subkeys
+    for (let i = 0; i < this.subKeys.length; i++) {
+      if (!keyId || this.subKeys[i].subKey.getKeyId().equals(keyId)) {
+        // eslint-disable-next-line no-await-in-loop
+        await this.subKeys[i].verify(primaryKey, date);
+        for (let j = 0; j < this.subKeys[i].bindingSignatures.length; j++) {
+          if (isValidEncryptionKeyPacket(this.subKeys[i].subKey, this.subKeys[i].bindingSignatures[j], date)) {
+            return this.subKeys[i].subKey;
+          }
        }
      }
    }
-  }
-  // if no valid subkey for encryption, evaluate primary key
-  const primaryUser = await this.getPrimaryUser(date);
-  if (primaryUser && (!keyId || primaryKey.getKeyId().equals(keyId)) &&
-      isValidEncryptionKeyPacket(primaryKey, primaryUser.selfCertification, date) &&
-      await this.verifyPrimaryKey(date)) {
-    return primaryKey;
+    // if no valid subkey for encryption, evaluate primary key
+    const primaryUser = await this.getPrimaryUser(date);
+    if (primaryUser && (!keyId || primaryKey.getKeyId().equals(keyId)) &&
+        isValidEncryptionKeyPacket(primaryKey, primaryUser.selfCertification, date)) {
+      return primaryKey;
+    }
  }
  return null;
 };
@ -392,33 +394,6 @@ Key.prototype.isRevoked = async function(signature, key, date=new Date()) {
  );
 };

-/**
- * Returns a packetlist containing all verified public or private key packets matching keyId.
- * If keyId is not present, returns all verified key packets starting with the primary key.
- * Verification is in the context of given date.
- * @param  {type/keyid} keyId
- * @param  {Date}       date  Use the given date instead of the current time
- * @returns {Promise<module:packet/packetlist>}
- * @async
- */
-Key.prototype.verifyKeyPackets = async function(keyId=null, date=new Date()) {
-  const packets = new packet.List();
-  const { primaryKey } = this;
-  if (await this.verifyPrimaryKey(date)) {
-    if (!keyId || primaryKey.getKeyId().equals(keyId)) {
-      packets.push(primaryKey);
-    }
-  }
-  await Promise.all(this.subKeys.map(async subKey => {
-    if (!keyId || subKey.subKey.getKeyId().equals(keyId)) {
-      if (await subKey.verify(primaryKey, date)) {
-        packets.push(subKey.subKey);
-      }
-    }
-  }));
-  return packets;
-};
-
 /**
 * Verify primary key. Checks for revocation signatures, expiration time
 * and valid self signature
--- a/test/general/key.js
+++ b/test/general/key.js
@ -773,7 +773,7 @@ describe('Key', function() {
    const pubKey = pubKeys.keys[0];
    expect(pubKey).to.exist;

-    const packetlist = new openpgp.packet.Packetlist();
+    const packetlist = new openpgp.packet.List();

    packetlist.read(openpgp.armor.decode(pub_sig_test).data);