sequoia_openpgp/policy.rs
1//! A mechanism to specify policy.
2//!
3//! A major goal of the Sequoia OpenPGP crate is to be policy free.
4//! However, many mid-level operations build on low-level primitives.
5//! For instance, finding a certificate's primary User ID means
6//! examining each of its User IDs and their current self-signature.
7//! Some algorithms are considered broken (e.g., MD5) and some are
8//! considered weak (e.g. SHA-1). When dealing with data from an
9//! untrusted source, for instance, callers will often prefer to
10//! ignore signatures that rely on these algorithms even though [RFC
11//! 4880] says that "\[i\]mplementations MUST implement SHA-1." When
12//! trying to decrypt old archives, however, users probably don't want
13//! to ignore keys using MD5, even though [Section 9.5 of RFC 9580]
14//! deprecates MD5.
15//!
16//! Rather than not provide this mid-level functionality, the `Policy`
17//! trait allows callers to specify their preferred policy. This can be
18//! highly customized by providing a custom implementation of the
19//! `Policy` trait, or it can be slightly refined by tweaking the
20//! `StandardPolicy`'s parameters.
21//!
22//! When implementing the `Policy` trait, it is *essential* that the
23//! functions are [pure]. That is, if the same `Policy` is used
24//! to determine whether a given `Signature` is valid, it must always
25//! return the same value.
26//!
27//! [Section 9.5 of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-9.5
28//! [pure]: https://en.wikipedia.org/wiki/Pure_function
29use std::fmt;
30use std::time::{SystemTime, Duration};
31use std::u32;
32
33use anyhow::Context;
34
35use crate::{
36 cert::prelude::*,
37 Error,
38 Packet,
39 packet::{
40 key,
41 Signature,
42 signature::subpacket::{
43 SubpacketTag,
44 SubpacketValue,
45 },
46 Tag,
47 },
48 Result,
49 types,
50 types::{
51 AEADAlgorithm,
52 HashAlgorithm,
53 SignatureType,
54 SymmetricAlgorithm,
55 Timestamp,
56 },
57};
58
59#[macro_use] mod cutofflist;
60use cutofflist::{
61 CutoffList,
62 REJECT,
63 ACCEPT,
64 VersionedCutoffList,
65};
66
67/// A policy for cryptographic operations.
68pub trait Policy : fmt::Debug + Send + Sync {
69 /// Returns an error if the signature violates the policy.
70 ///
71 /// This function performs the last check before the library
72 /// decides that a signature is valid. That is, after the library
73 /// has determined that the signature is well-formed, alive, not
74 /// revoked, etc., it calls this function to allow you to
75 /// implement any additional policy. For instance, you may reject
76 /// signatures that make use of cryptographically insecure
77 /// algorithms like SHA-1.
78 ///
79 /// Note: Whereas it is generally better to reject suspicious
80 /// signatures, one should be more liberal when considering
81 /// revocations: if you reject a revocation certificate, it may
82 /// inadvertently make something else valid!
83 fn signature(&self, _sig: &Signature, _sec: HashAlgoSecurity) -> Result<()> {
84 Err(Error::PolicyViolation(
85 "By default all signatures are rejected.".into(), None).into())
86 }
87
88 /// Returns an error if the key violates the policy.
89 ///
90 /// This function performs one of the last checks before a
91 /// `KeyAmalgamation` or a related data structures is turned into
92 /// a `ValidKeyAmalgamation`, or similar.
93 ///
94 /// Internally, the library always does this before using a key.
95 /// The sole exception is when creating a key using `CertBuilder`.
96 /// In that case, the primary key is not validated before it is
97 /// used to create any binding signatures.
98 ///
99 /// Thus, you can prevent keys that make use of insecure
100 /// algorithms, don't have a sufficiently high security margin
101 /// (e.g., 1024-bit RSA keys), are on a bad list, etc. from being
102 /// used here.
103 ///
104 /// If you implement this function, make sure to consider the Key
105 /// Derivation Function and Key Encapsulation parameters of ECDH
106 /// keys, see [`PublicKey::ECDH`].
107 ///
108 /// [`PublicKey::ECDH`]: crate::crypto::mpi::PublicKey::ECDH
109 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
110 -> Result<()>
111 {
112 Err(Error::PolicyViolation(
113 "By default all keys are rejected.".into(), None).into())
114 }
115
116 /// Returns an error if the symmetric encryption algorithm
117 /// violates the policy.
118 ///
119 /// This function performs the last check before an encryption
120 /// container is decrypted by the streaming decryptor.
121 ///
122 /// With this function, you can prevent the use of insecure
123 /// symmetric encryption algorithms.
124 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
125 Err(Error::PolicyViolation(
126 "By default all symmetric algorithms are rejected.".into(), None).into())
127 }
128
129 /// Returns an error if the AEAD mode violates the policy.
130 ///
131 /// This function performs the last check before an encryption
132 /// container is decrypted by the streaming decryptor.
133 ///
134 /// With this function, you can prevent the use of insecure AEAD
135 /// constructions.
136 ///
137 /// This feature is [experimental](super#experimental-features).
138 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
139 Err(Error::PolicyViolation(
140 "By default all AEAD algorithms are rejected.".into(), None).into())
141 }
142
143 /// Returns an error if the packet violates the policy.
144 ///
145 /// This function performs the last check before a packet is
146 /// considered by the streaming verifier and decryptor.
147 ///
148 /// With this function, you can prevent the use of insecure
149 /// encryption containers, notably the *Symmetrically Encrypted
150 /// Data Packet*.
151 fn packet(&self, _packet: &Packet) -> Result<()> {
152 Err(Error::PolicyViolation(
153 "By default all packets are rejected.".into(), None).into())
154 }
155}
156
157/// Whether the signed data requires a hash algorithm with collision
158/// resistance.
159///
160/// Since the context of a signature is not passed to
161/// `Policy::signature`, it is not possible to determine from that
162/// function whether the signature requires a hash algorithm with
163/// collision resistance. This enum indicates this.
164///
165/// In short, many self signatures only require second pre-image
166/// resistance. This can be used to extend the life of hash
167/// algorithms whose collision resistance has been partially
168/// compromised. Be careful. Read the background and the warning
169/// before accepting the use of weak hash algorithms!
170///
171/// # Warning
172///
173/// Although distinguishing whether signed data requires collision
174/// resistance can be used to permit the continued use of a hash
175/// algorithm in certain situations, once attacks against a hash
176/// algorithm are known, it is imperative to retire the use of the
177/// hash algorithm as soon as it is feasible. Cryptoanalytic attacks
178/// improve quickly, as demonstrated by the attacks on SHA-1.
179///
180/// # Background
181///
182/// Cryptographic hash functions normally have three security
183/// properties:
184///
185/// - Pre-image resistance,
186/// - Second pre-image resistance, and
187/// - Collision resistance.
188///
189/// A hash algorithm has pre-image resistance if given a hash `h`, it
190/// is impractical for an attacker to find a message `m` such that `h
191/// = hash(m)`. In other words, a hash algorithm has pre-image
192/// resistance if it is hard to invert. A hash algorithm has second
193/// pre-image resistance if it is impractical for an attacker to find
194/// a second message with the same hash as the first. That is, given
195/// `m1`, it is hard for an attacker to find an `m2` such that
196/// `hash(m1) = hash(m2)`. And, a hash algorithm has collision
197/// resistance if it is impractical for an attacker to find two
198/// messages with the same hash. That is, it is hard for an attacker
199/// to find an `m1` and an `m2` such that `hash(m1) = hash(m2)`.
200///
201/// In the context of verifying an OpenPGP signature, we don't need a
202/// hash algorithm with pre-image resistance. Pre-image resistance is
203/// only required when the message is a secret, e.g., a password. We
204/// always need a hash algorithm with second pre-image resistance,
205/// because an attacker must not be able to repurpose an arbitrary
206/// signature, i.e., create a collision with respect to a *known*
207/// hash. And, we need collision resistance when a signature is over
208/// data that could have been influenced by an attacker: if an
209/// attacker creates a pair of colliding messages and convinces the
210/// user to sign one of them, then the attacker can copy the signature
211/// to the other message.
212///
213/// Collision resistance implies second pre-image resistance, but not
214/// vice versa. If an attacker can find a second message with the
215/// same hash as some known message, they can also create a collision
216/// by choosing an arbitrary message and using their pre-image attack
217/// to find a colliding message. Thus, a context that requires
218/// collision resistance also requires second pre-image resistance.
219///
220/// Because collision resistance is with respect to two arbitrary
221/// messages, collision resistance is always susceptible to a
222/// [birthday paradox]. This means that the security margin of a hash
223/// algorithm's collision resistance is half of the security margin of
224/// its second pre-image resistance. And, in practice, the collision
225/// resistance of industry standard hash algorithms has been
226/// practically attacked multiple times. In the context of SHA-1,
227/// Wang et al. described how to find collisions in SHA-1 in their
228/// 2005 paper [Finding Collisions in the Full SHA-1]. In 2017,
229/// Stevens et al. published [The First Collision for Full SHA-1],
230/// which demonstrates the first practical attack on SHA-1's collision
231/// resistance, an identical-prefix collision attack. This attack
232/// only gives the attacker limited control over the content of the
233/// collided messages, which limits its applicability. However, in
234/// 2020, Leurent and Peyrin published [SHA-1 is a Shambles], which
235/// demonstrates a practical chosen-prefix collision attack. This
236/// attack gives the attacker complete control over the prefixes of
237/// the collided messages.
238///
239/// [birthday paradox]: https://en.wikipedia.org/wiki/Birthday_attack#Digital_signature_susceptibility
240/// [Finding Collisions in the Full SHA-1]: https://link.springer.com/chapter/10.1007/11535218_2
241/// [The first collision for full SHA-1]: https://shattered.io/
242/// [SHA-1 is a Shambles]: https://sha-mbles.github.io/
243///
244/// A chosen-prefix collision attack works as follows: an attacker
245/// chooses two arbitrary message prefixes, and then searches for
246/// so-called near collision blocks. These near collision blocks
247/// cause the internal state of the hashes to converge and eventually
248/// result in a collision, i.e., an identical hash value. The attack
249/// described in the [SHA-1 is a Shambles] paper requires 8 to 10 near
250/// collision blocks (512 to 640 bytes) to fully synchronize the
251/// internal state.
252///
253/// SHA-1 is a [Merkle-Damgård hash function]. This means that the
254/// hash function processes blocks one after the other, and the
255/// internal state of the hash function at any given point only
256/// depends on earlier blocks in the stream. A consequence of this is
257/// that it is possible to append a common suffix to the collided
258/// messages without any additional computational effort. That is, if
259/// `hash(m1) = hash(m2)`, then it necessarily holds that `hash(m1 ||
260/// suffix) = hash(m2 || suffix)`. This is called a [length extension
261/// attack].
262///
263/// [Merkle-Damgård hash function]: https://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction
264/// [length extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack
265///
266/// Thus, the [SHA-1 is a Shambles] attack solves the following:
267///
268/// ```text
269/// hash(m1 || collision blocks 1 || suffix) = hash(m2 || collision blocks 2 || suffix)
270/// ```
271///
272/// Where `m1`, `m2`, and `suffix` are controlled by the attacker, and
273/// only the collision blocks are controlled by the algorithm.
274///
275/// If an attacker can convince an OpenPGP user to sign a message of
276/// their choosing (some `m1 || collision blocks 1 || suffix`), then
277/// the attacker also has a valid signature from the victim for a
278/// colliding message (some `m2 || collision blocks 2 || suffix`).
279///
280/// The OpenPGP format imposes some additional constraints on the
281/// attacker. Although the attacker may control the message, the
282/// signature is also over a [signature packet], and a trailer.
283/// Specifically, [the following is signed] when signing a document:
284///
285/// ```text
286/// hash(document || sig packet || 0x04 || sig packet len)
287/// ```
288///
289/// and the [following is signed] when signing a binding signature:
290///
291/// ```text
292/// hash(public key || subkey || sig packet || 0x04 || sig packet len)
293/// ```
294///
295/// [signature packet]: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3
296/// [the following is signed]: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.4
297///
298/// Since the signature packet is chosen by the victim's OpenPGP
299/// implementation, the attacker may be able to predict it, but they
300/// cannot store the collision blocks there. Thus, the signature
301/// packet is necessarily part of the common suffix, and the collision
302/// blocks must occur earlier in the stream.
303///
304/// This restriction on the signature packet means that an attacker
305/// cannot convince the victim to sign a document, and then transfer
306/// that signature to a colliding binding signature. These signatures
307/// necessarily have different [signature packet]s: the value of the
308/// [signature type] field is different. And, as just described, for
309/// this attack, the signature packets must be identical, because they
310/// are part of the common suffix. Finally, the trailer, which
311/// contains the signature packet's length, prevents hiding a
312/// signature in a signature.
313///
314/// [signature type]: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.1
315///
316/// Given this, if we know for a given signature type that an attacker
317/// cannot control any of the data that is signed, then that type of
318/// signature does not need collision resistance; it is still
319/// vulnerable to an attack on the hash's second pre-image resistance
320/// (a collision with a specific message), but not one on its
321/// collision resistance (a collision with any message). This is the
322/// case for binding signatures, and direct key signatures. But, it
323/// is not normally the case for documents (the attacker may be able
324/// to control the content of the document), certifications (the
325/// attacker may be able to control the key packet, the User ID
326/// packet, or the User Attribute packet), or certificate revocations
327/// (the attacker may be able to control the key packet).
328///
329/// Certification signatures and revocations signatures can be further
330/// divided into self signatures and third-party signatures. If an
331/// attacker can convince a victim into signing a third-party
332/// signature, as was done in the [SHA-1 is a Shambles], they may be
333/// able to transfer the signature to a colliding self signature. If
334/// we can show that an attacker can't collide a self signature, and a
335/// third-party signature, then we may be able to show that self
336/// signatures don't require collision resistance. The same
337/// consideration holds for revocations and third-party revocations.
338///
339/// We first consider revocations, which are more straightforward.
340/// The attack is the following: an attacker creates a fake
341/// certificate (A), and sets the victim as a designated revoker.
342/// They then ask the victim to revoke their certificate (V). The
343/// attacker than transfers the signature to a colliding self
344/// revocation, which causes the victim's certificate (V) to be
345/// revoked.
346///
347/// A revocation is over a public key packet and a signature packet.
348/// In this scenario, the attacker controls the fake certificate (A)
349/// and thus the public key packet that the victim actually signs.
350/// But the victim's public key packet is determined by their
351/// certificate (V). Thus, the attacker would have to insert the near
352/// collision blocks in the signature packet, which, as we argued
353/// before, is not possible. Thus, it is safe to only use a hash with
354/// pre-image resistance to protect a self-revocation.
355///
356/// We now turn to self signatures. The attack is similar to the
357/// [SHA-1 is a Shambles] attack. An attacker creates a certificate
358/// (A) and convinces the victim to sign it. The attacker can then
359/// transfer the third-party certification to a colliding self
360/// signature for the victim's certificate (V). If successful, this
361/// attack allows the attacker to add a User ID or a User Attribute to
362/// the victim's certificate (V). This can confuse people who use the
363/// victim's certificate. For instance, if the attacker adds the
364/// identity `alice@example.org` to the victim's certificate, and Bob
365/// receives a message signed using the victim's certificate (V), he
366/// may think that Alice signed the message instead of the victim.
367/// Bob won't be tricked if he uses strong authentication, but many
368/// OpenPGP users use weak authentication (e.g., TOFU) or don't
369/// authenticate keys at all.
370///
371/// A certification is over a public key packet, a User ID or User
372/// Attribute packet, and a signature packet. The attacker controls
373/// the fake certificate (A) and therefore the public key packet, and
374/// the User ID or User Attribute packet that the victim signs.
375/// However, to trick the victim, the User ID packet or User Attribute
376/// packet needs to correspond to an identity that the attacker
377/// appears to control. Thus, if the near collision blocks are stored
378/// in the User ID or User Attribute packet of A, they have to be
379/// hidden to avoid making the victim suspicious. This is
380/// straightforward for User Attributes, which are currently images,
381/// and have many places to hide this type of data. However, User IDs
382/// are normally [UTF-8 encoded RFC 2822 mailbox]es, which makes
383/// hiding half a kilobyte of binary data impractical. The attacker
384/// does not control the victim's public key (in V). But, they do
385/// control the malicious User ID or User Attribute that they want to
386/// attack to the victim's certificate (V). But again, the near
387/// collision blocks have to be hidden in order to trick Bob, the
388/// second victim. Thus, the attack has two possibilities: they can
389/// hide the near collision blocks in the fake public key (in A), and
390/// the User ID or User Attribute (added to V); or, they can hide them
391/// in the fake User IDs or User Attributes (in A and the one added to
392/// V).
393///
394/// As evidenced by the [SHA-1 is a Shambles] attack, it is possible
395/// to hide near collision blocks in User Attribute packets. Thus,
396/// this attack can be used to transfer a third-party certification
397/// over a User Attribute to a self signature over a User Attribute.
398/// As such, self signatures over User Attributes need collision
399/// resistance.
400///
401/// The final case to consider is hiding the near collision blocks in
402/// the User ID that the attacker wants to add to the victim's
403/// certificate. Again, it is possible to store the near collision
404/// blocks there. However, there are two mitigating factors. First,
405/// there is no place to hide the blocks. As such, the user must be
406/// convinced to ignore them. Second, a User ID is structure: it
407/// normally contains a [UTF-8 encoded RFC 2822 mailbox]. Thus, if we
408/// only consider valid UTF-8 strings, and limit the maximum size, we
409/// can dramatically increase the workfactor, which can extend the life
410/// of a hash algorithm whose collision resistance has been weakened.
411///
412/// [UTF-8 encoded RFC 2822 mailbox]: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.11
413#[derive(Debug, Clone, Copy, Eq, PartialEq)]
414pub enum HashAlgoSecurity {
415 /// The signed data only requires second pre-image resistance.
416 ///
417 /// If a signature is over data that an attacker cannot influence,
418 /// then the hash function does not need to provide collision
419 /// resistance. This is **only** the case for:
420 ///
421 /// - Subkey binding signatures
422 /// - Primary key binding signatures
423 /// - Self revocations
424 ///
425 /// Due to the structure of User IDs (they are normally short,
426 /// UTF-8 encoded RFC 2822 mailboxes), self signatures over short,
427 /// reasonable User IDs (**not** User Attributes) also don't
428 /// require strong collision resistance. Thus, we also only
429 /// require a signature with second pre-image resistance for:
430 ///
431 /// - Self signatures over reasonable User IDs
432 SecondPreImageResistance,
433 /// The signed data requires collision resistance.
434 ///
435 /// If a signature is over data that an attacker can influence,
436 /// then the hash function must provide collision resistance.
437 /// This is the case for documents, third-party certifications,
438 /// and third-party revocations.
439 ///
440 /// Note: collision resistance implies second pre-image
441 /// resistance. Thus, when evaluating whether a hash algorithm
442 /// has collision resistance, we also check whether it has second
443 /// pre-image resistance.
444 CollisionResistance,
445}
446
447impl Default for HashAlgoSecurity {
448 /// The default is the most conservative policy.
449 fn default() -> Self {
450 HashAlgoSecurity::CollisionResistance
451 }
452}
453
454/// The standard policy.
455///
456/// The standard policy stores when each algorithm in a family of
457/// algorithms is no longer considered safe. Attempts to use an
458/// algorithm after its cutoff time should fail.
459///
460/// A `StandardPolicy` can be configured using Rust. Sometimes it is
461/// useful to configure it via a configuration file. This can be done
462/// using the [`sequoia-policy-config`] crate.
463///
464/// [`sequoia-policy-config`]: https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/
465///
466/// It is recommended to support using a configuration file when the
467/// program should respect the system's crypto policy. This is
468/// required on Fedora, for instance. See the [Fedora Crypto
469/// Policies] project for more information.
470///
471/// [Fedora]: https://gitlab.com/redhat-crypto/fedora-crypto-policies
472///
473/// When validating a signature, we normally want to know whether the
474/// algorithms used are safe *now*. That is, we don't use the
475/// signature's alleged creation time when considering whether an
476/// algorithm is safe, because if an algorithm is discovered to be
477/// compromised at time X, then an attacker could forge a message
478/// after time X with a signature creation time that is prior to X,
479/// which would be incorrectly accepted.
480///
481/// Occasionally, we know that a signature has not been tampered with
482/// since some time in the past. We might know this if the signature
483/// was stored on some tamper-proof medium. In those cases, it is
484/// reasonable to use the time that the signature was saved, since an
485/// attacker could not have taken advantage of any weaknesses found
486/// after that time.
487///
488/// # Examples
489///
490/// A `StandardPolicy` object can be used to build specialized policies.
491/// For example the following policy filters out Persona certifications mimicking
492/// what GnuPG does when calculating the Web of Trust.
493///
494/// ```rust
495/// use sequoia_openpgp as openpgp;
496/// use std::io::{Cursor, Read};
497/// use openpgp::Result;
498/// use openpgp::packet::{Packet, Signature, key::PublicParts};
499/// use openpgp::cert::prelude::*;
500/// use openpgp::parse::Parse;
501/// use openpgp::armor::{Reader, ReaderMode, Kind};
502/// use openpgp::policy::{HashAlgoSecurity, Policy, StandardPolicy};
503/// use openpgp::types::{
504/// SymmetricAlgorithm,
505/// AEADAlgorithm,
506/// SignatureType
507/// };
508///
509/// #[derive(Debug)]
510/// struct RejectPersonaCertificationsPolicy<'a>(StandardPolicy<'a>);
511///
512/// impl Policy for RejectPersonaCertificationsPolicy<'_> {
513/// fn key(&self, ka: &ValidErasedKeyAmalgamation<PublicParts>)
514/// -> Result<()>
515/// {
516/// self.0.key(ka)
517/// }
518///
519/// fn signature(&self, sig: &Signature, sec: HashAlgoSecurity) -> Result<()> {
520/// if sig.typ() == SignatureType::PersonaCertification {
521/// Err(anyhow::anyhow!("Persona certifications are ignored."))
522/// } else {
523/// self.0.signature(sig, sec)
524/// }
525/// }
526///
527/// fn symmetric_algorithm(&self, algo: SymmetricAlgorithm) -> Result<()> {
528/// self.0.symmetric_algorithm(algo)
529/// }
530///
531/// fn aead_algorithm(&self, algo: AEADAlgorithm) -> Result<()> {
532/// self.0.aead_algorithm(algo)
533/// }
534///
535/// fn packet(&self, packet: &Packet) -> Result<()> {
536/// self.0.packet(packet)
537/// }
538/// }
539///
540/// impl RejectPersonaCertificationsPolicy<'_> {
541/// fn new() -> Self {
542/// Self(StandardPolicy::new())
543/// }
544/// }
545///
546/// # fn main() -> Result<()> {
547/// // this key has one persona certification
548/// let data = r#"
549/// -----BEGIN PGP PUBLIC KEY BLOCK-----
550///
551/// mDMEX7JGrxYJKwYBBAHaRw8BAQdASKGcnowaZBDc2Z3rZZlWb6jEjne9sK76afbJ
552/// trd5Uw+0BlRlc3QgMoiQBBMWCAA4FiEEyZ6oBYFia3z+ooCBqR9BqiGp8AQFAl+y
553/// Rq8CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQqR9BqiGp8ASfxwEAvEb0
554/// bFr7ZgFZSDOITNptm+FEynib8mmLACsvHAmCjvIA+gOaSNyxMW6N59q7/j0sDjp1
555/// aYNgpNFLbYBZpkXXVL0GiHUEERYIAB0WIQTE4QfdkkisIbWVOcHmlsuS3dbWEwUC
556/// X7JG4gAKCRDmlsuS3dbWExEwAQCpqfiVMhjDwVFMsMpwd5r0N/8rAx8/nmgpCsK3
557/// M9TUrAD7BhTYVPRbkJqTZYd9DlLtBcbF3yNPTHlB+F2sFjI+cgo=
558/// =ZfYu
559/// -----END PGP PUBLIC KEY BLOCK-----
560/// "#;
561///
562/// let mut cursor = Cursor::new(&data);
563/// let mut reader = Reader::from_reader(&mut cursor, ReaderMode::Tolerant(Some(Kind::PublicKey)));
564///
565/// let mut buf = Vec::new();
566/// reader.read_to_end(&mut buf)?;
567/// let cert = Cert::from_bytes(&buf)?;
568///
569/// let ref sp = StandardPolicy::new();
570/// let u = cert.with_policy(sp, None)?.userids().nth(0).unwrap();
571///
572/// // Under the standard policy the persona certification is visible.
573/// assert_eq!(u.certifications().count(), 1);
574///
575/// // Under our custom policy the persona certification is not available.
576/// let ref p = RejectPersonaCertificationsPolicy::new();
577/// assert_eq!(u.with_policy(p, None)?.certifications().count(), 0);
578/// #
579/// # Ok(())
580/// # }
581/// ```
582#[derive(Clone, Debug)]
583pub struct StandardPolicy<'a> {
584 // The time. If None, the current time is used.
585 time: Option<Timestamp>,
586
587 // Hash algorithms.
588 collision_resistant_hash_algos:
589 CollisionResistantHashCutoffList,
590 second_pre_image_resistant_hash_algos:
591 SecondPreImageResistantHashCutoffList,
592 hash_revocation_tolerance: types::Duration,
593
594 // Critical subpacket tags.
595 critical_subpackets: SubpacketTagCutoffList,
596
597 // Critical notation good-list.
598 good_critical_notations: &'a [&'a str],
599
600 // Packet types.
601 packet_tags: PacketTagCutoffList,
602
603 // Symmetric algorithms.
604 symmetric_algos: SymmetricAlgorithmCutoffList,
605
606 // AEAD algorithms.
607 aead_algos: AEADAlgorithmCutoffList,
608
609 // Asymmetric algorithms.
610 asymmetric_algos: AsymmetricAlgorithmCutoffList,
611}
612
613assert_send_and_sync!(StandardPolicy<'_>);
614
615impl<'a> Default for StandardPolicy<'a> {
616 fn default() -> Self {
617 Self::new()
618 }
619}
620
621impl<'a> From<&'a StandardPolicy<'a>> for Option<&'a dyn Policy> {
622 fn from(p: &'a StandardPolicy<'a>) -> Self {
623 Some(p as &dyn Policy)
624 }
625}
626
627// Signatures that require a hash with collision Resistance and second
628// Pre-image Resistance. See the documentation for HashAlgoSecurity
629// for more details.
630a_cutoff_list!(CollisionResistantHashCutoffList, HashAlgorithm, 15,
631 [
632 REJECT, // 0. Not assigned.
633 Some(Timestamp::Y1997M2), // 1. MD5
634 Some(Timestamp::Y2013M2), // 2. SHA-1
635 Some(Timestamp::Y2013M2), // 3. RIPE-MD/160
636 REJECT, // 4. Reserved.
637 REJECT, // 5. Reserved.
638 REJECT, // 6. Reserved.
639 REJECT, // 7. Reserved.
640 ACCEPT, // 8. SHA256
641 ACCEPT, // 9. SHA384
642 ACCEPT, // 10. SHA512
643 ACCEPT, // 11. SHA224
644 ACCEPT, // 12. SHA3-256
645 REJECT, // 13. Reserved.
646 ACCEPT, // 14. SHA3-512
647 ]);
648// Signatures that *only* require a hash with Second Pre-image
649// Resistance. See the documentation for HashAlgoSecurity for more
650// details.
651a_cutoff_list!(SecondPreImageResistantHashCutoffList, HashAlgorithm, 15,
652 [
653 REJECT, // 0. Not assigned.
654 Some(Timestamp::Y2004M2), // 1. MD5
655 Some(Timestamp::Y2023M2), // 2. SHA-1
656 Some(Timestamp::Y2013M2), // 3. RIPE-MD/160
657 REJECT, // 4. Reserved.
658 REJECT, // 5. Reserved.
659 REJECT, // 6. Reserved.
660 REJECT, // 7. Reserved.
661 ACCEPT, // 8. SHA256
662 ACCEPT, // 9. SHA384
663 ACCEPT, // 10. SHA512
664 ACCEPT, // 11. SHA224
665 ACCEPT, // 12. SHA3-256
666 REJECT, // 13. Reserved.
667 ACCEPT, // 14. SHA3-512
668 ]);
669
670a_cutoff_list!(SubpacketTagCutoffList, SubpacketTag, 40,
671 [
672 REJECT, // 0. Reserved.
673 REJECT, // 1. Reserved.
674 ACCEPT, // 2. SignatureCreationTime.
675 ACCEPT, // 3. SignatureExpirationTime.
676 ACCEPT, // 4. ExportableCertification.
677 ACCEPT, // 5. TrustSignature.
678 ACCEPT, // 6. RegularExpression.
679 // Note: Even though we don't explicitly honor the
680 // Revocable flag, we don't support signature
681 // revocations, hence it is safe to ACCEPT it.
682 ACCEPT, // 7. Revocable.
683 REJECT, // 8. Reserved.
684 ACCEPT, // 9. KeyExpirationTime.
685 REJECT, // 10. PlaceholderForBackwardCompatibility.
686 ACCEPT, // 11. PreferredSymmetricAlgorithms.
687 ACCEPT, // 12. RevocationKey.
688 REJECT, // 13. Reserved.
689 REJECT, // 14. Reserved.
690 REJECT, // 15. Reserved.
691 ACCEPT, // 16. Issuer.
692 REJECT, // 17. Reserved.
693 REJECT, // 18. Reserved.
694 REJECT, // 19. Reserved.
695 ACCEPT, // 20. NotationData.
696 ACCEPT, // 21. PreferredHashAlgorithms.
697 ACCEPT, // 22. PreferredCompressionAlgorithms.
698 ACCEPT, // 23. KeyServerPreferences.
699 ACCEPT, // 24. PreferredKeyServer.
700 ACCEPT, // 25. PrimaryUserID.
701 ACCEPT, // 26. PolicyURI.
702 ACCEPT, // 27. KeyFlags.
703 ACCEPT, // 28. SignersUserID.
704 ACCEPT, // 29. ReasonForRevocation.
705 ACCEPT, // 30. Features.
706 REJECT, // 31. SignatureTarget.
707 ACCEPT, // 32. EmbeddedSignature.
708 ACCEPT, // 33. IssuerFingerprint.
709 REJECT, // 34. Reserved (PreferredAEADAlgorithms).
710 ACCEPT, // 35. IntendedRecipient.
711 REJECT, // 36. Reserved.
712 ACCEPT, // 37. ApprovedCertifications.
713 REJECT, // 38. Reserved.
714 ACCEPT, // 39. PreferredAEADCiphersuites.
715 ]);
716
717a_cutoff_list!(AsymmetricAlgorithmCutoffList, AsymmetricAlgorithm, 24,
718 [
719 Some(Timestamp::Y2014M2), // 0. RSA1024.
720 ACCEPT, // 1. RSA2048.
721 ACCEPT, // 2. RSA3072.
722 ACCEPT, // 3. RSA4096.
723 Some(Timestamp::Y2014M2), // 4. ElGamal1024.
724 Some(Timestamp::Y2025M2), // 5. ElGamal2048.
725 Some(Timestamp::Y2025M2), // 6. ElGamal3072.
726 Some(Timestamp::Y2025M2), // 7. ElGamal4096.
727 Some(Timestamp::Y2014M2), // 8. DSA1024.
728 Some(Timestamp::Y2030M2), // 9. DSA2048.
729 Some(Timestamp::Y2030M2), // 10. DSA3072.
730 Some(Timestamp::Y2030M2), // 11. DSA4096.
731 ACCEPT, // 12. NistP256.
732 ACCEPT, // 13. NistP384.
733 ACCEPT, // 14. NistP521.
734 ACCEPT, // 15. BrainpoolP256.
735 ACCEPT, // 16. BrainpoolP384.
736 ACCEPT, // 17. BrainpoolP512.
737 ACCEPT, // 18. Cv25519.
738 ACCEPT, // 19. X25519.
739 ACCEPT, // 20. X448.
740 ACCEPT, // 21. Ed25519.
741 ACCEPT, // 22. Ed448.
742 ACCEPT, // 23. EdDSA (i.e., Legacy Ed25519).
743 ]);
744
745a_cutoff_list!(SymmetricAlgorithmCutoffList, SymmetricAlgorithm, 14,
746 [
747 REJECT, // 0. Unencrypted.
748 Some(Timestamp::Y2025M2), // 1. IDEA.
749 Some(Timestamp::Y2017M2), // 2. TripleDES.
750 Some(Timestamp::Y2025M2), // 3. CAST5.
751 ACCEPT, // 4. Blowfish.
752 REJECT, // 5. Reserved.
753 REJECT, // 6. Reserved.
754 ACCEPT, // 7. AES128.
755 ACCEPT, // 8. AES192.
756 ACCEPT, // 9. AES256.
757 ACCEPT, // 10. Twofish.
758 ACCEPT, // 11. Camellia128.
759 ACCEPT, // 12. Camellia192.
760 ACCEPT, // 13. Camellia256.
761 ]);
762
763a_cutoff_list!(AEADAlgorithmCutoffList, AEADAlgorithm, 4,
764 [
765 REJECT, // 0. Reserved.
766 ACCEPT, // 1. EAX.
767 ACCEPT, // 2. OCB.
768 ACCEPT, // 3. GCM.
769 ]);
770
771a_versioned_cutoff_list!(PacketTagCutoffList, Tag, 22,
772 [
773 REJECT, // 0. Reserved.
774 ACCEPT, // 1. PKESK.
775 ACCEPT, // 2. Signature.
776 ACCEPT, // 3. SKESK.
777 ACCEPT, // 4. OnePassSig.
778 ACCEPT, // 5. SecretKey.
779 ACCEPT, // 6. PublicKey.
780 ACCEPT, // 7. SecretSubkey.
781 ACCEPT, // 8. CompressedData.
782 Some(Timestamp::Y2004M2), // 9. SED.
783 ACCEPT, // 10. Marker.
784 ACCEPT, // 11. Literal.
785 ACCEPT, // 12. Trust.
786 ACCEPT, // 13. UserID.
787 ACCEPT, // 14. PublicSubkey.
788 REJECT, // 15. Not assigned.
789 REJECT, // 16. Not assigned.
790 ACCEPT, // 17. UserAttribute.
791 ACCEPT, // 18. SEIP.
792 ACCEPT, // 19. MDC.
793 REJECT, // 20. "v5" AED.
794 ACCEPT, // 21. Padding.
795 ],
796 // The versioned list overrides the unversioned list. So we only
797 // need to tweak the above.
798 //
799 // Note: this list must be sorted and the tag and version must be unique!
800 2,
801 [
802 (Tag::Signature, 3, Some(Timestamp::Y2021M2)),
803 (Tag::Signature, 5, REJECT), // "v5" Signatures.
804 ]);
805
806// We need to convert a `SystemTime` to a `Timestamp` in
807// `StandardPolicy::reject_hash_at`. Unfortunately, a `SystemTime`
808// can represent a larger range of time than a `Timestamp` can. Since
809// the times passed to this function are cutoff points, and we only
810// compare them to OpenPGP timestamps, any `SystemTime` that is prior
811// to the Unix Epoch is equivalent to the Unix Epoch: it will reject
812// all timestamps. Similarly, any `SystemTime` that is later than the
813// latest time representable by a `Timestamp` is equivalent to
814// accepting all time stamps, which is equivalent to passing None.
815fn system_time_cutoff_to_timestamp(t: SystemTime) -> Option<Timestamp> {
816 let t = t
817 .duration_since(SystemTime::UNIX_EPOCH)
818 // An error can only occur if the SystemTime is less than the
819 // reference time (SystemTime::UNIX_EPOCH). Map that to
820 // SystemTime::UNIX_EPOCH, as above.
821 .unwrap_or_else(|_| Duration::new(0, 0));
822 let t = t.as_secs();
823 if t > u32::MAX as u64 {
824 // Map to None, as above.
825 None
826 } else {
827 Some((t as u32).into())
828 }
829}
830
831impl<'a> StandardPolicy<'a> {
832 /// Instantiates a new `StandardPolicy` with the default parameters.
833 pub const fn new() -> Self {
834 const EMPTY_LIST: &[&str] = &[];
835 Self {
836 time: None,
837 collision_resistant_hash_algos:
838 CollisionResistantHashCutoffList::Default(),
839 second_pre_image_resistant_hash_algos:
840 SecondPreImageResistantHashCutoffList::Default(),
841 // There are 365.2425 days in a year. Use a reasonable
842 // approximation.
843 hash_revocation_tolerance:
844 types::Duration::seconds((7 * 365 + 2) * 24 * 60 * 60),
845 critical_subpackets: SubpacketTagCutoffList::Default(),
846 good_critical_notations: EMPTY_LIST,
847 asymmetric_algos: AsymmetricAlgorithmCutoffList::Default(),
848 symmetric_algos: SymmetricAlgorithmCutoffList::Default(),
849 aead_algos: AEADAlgorithmCutoffList::Default(),
850 packet_tags: PacketTagCutoffList::Default(),
851 }
852 }
853
854 /// Instantiates a new `StandardPolicy` with parameters
855 /// appropriate for `time`.
856 ///
857 /// `time` is a meta-parameter that selects a security profile
858 /// that is appropriate for the given point in time. When
859 /// evaluating an object, the reference time should be set to the
860 /// time that the object was stored to non-tamperable storage.
861 /// Since most applications don't record when they received an
862 /// object, they should conservatively use the current time.
863 ///
864 /// Note that the reference time is a security parameter and is
865 /// different from the time that the object was allegedly created.
866 /// Consider evaluating a signature whose `Signature Creation
867 /// Time` subpacket indicates that it was created in 2007. Since
868 /// the subpacket is under the control of the sender, setting the
869 /// reference time according to the subpacket means that the
870 /// sender chooses the security profile. If the sender were an
871 /// attacker, she could have forged this to take advantage of
872 /// security weaknesses found since 2007. This is why the
873 /// reference time must be set---at the earliest---to the time
874 /// that the message was stored to non-tamperable storage. When
875 /// that is not available, the current time should be used.
876 pub fn at<T>(time: T) -> Self
877 where T: Into<SystemTime>,
878 {
879 let time = time.into();
880 let mut p = Self::new();
881 p.time = Some(system_time_cutoff_to_timestamp(time)
882 // Map "ACCEPT" to the end of time (None
883 // here means the current time).
884 .unwrap_or(Timestamp::MAX));
885 p
886 }
887
888 /// Returns the policy's reference time.
889 ///
890 /// The current time is None.
891 ///
892 /// See [`StandardPolicy::at`] for details.
893 ///
894 /// [`StandardPolicy::at`]: StandardPolicy::at()
895 pub fn time(&self) -> Option<SystemTime> {
896 self.time.map(Into::into)
897 }
898
899 /// Always considers `h` to be secure.
900 ///
901 /// A cryptographic hash algorithm normally has three security
902 /// properties:
903 ///
904 /// - Pre-image resistance,
905 /// - Second pre-image resistance, and
906 /// - Collision resistance.
907 ///
908 /// A hash algorithm should only be unconditionally accepted if it
909 /// has all three of these properties. See the documentation for
910 /// [`HashAlgoSecurity`] for more details.
911 pub fn accept_hash(&mut self, h: HashAlgorithm) {
912 self.accept_hash_property(h, HashAlgoSecurity::CollisionResistance);
913 self.accept_hash_property(h, HashAlgoSecurity::SecondPreImageResistance);
914 }
915
916 /// Considers hash algorithm `h` to be secure for the specified
917 /// security property `sec`.
918 ///
919 /// For instance, an application may choose to allow an algorithm
920 /// like SHA-1 in contexts like User ID binding signatures where
921 /// only [second preimage
922 /// resistance][`HashAlgoSecurity::SecondPreImageResistance`] is
923 /// required but not in contexts like signatures over data where
924 /// [collision
925 /// resistance][`HashAlgoSecurity::CollisionResistance`] is also
926 /// required. Whereas SHA-1's collision resistance is
927 /// [definitively broken](https://shattered.io/), depending on the
928 /// application's threat model, it may be acceptable to continue
929 /// to accept SHA-1 in these specific contexts.
930 pub fn accept_hash_property(&mut self, h: HashAlgorithm, sec: HashAlgoSecurity)
931 {
932 self.reject_hash_property_at(h, sec, None);
933 }
934
935 /// Considers `h` to be insecure in all security contexts.
936 ///
937 /// A cryptographic hash algorithm normally has three security
938 /// properties:
939 ///
940 /// - Pre-image resistance,
941 /// - Second pre-image resistance, and
942 /// - Collision resistance.
943 ///
944 /// This method causes the hash algorithm to be considered unsafe
945 /// in all security contexts.
946 ///
947 /// See the documentation for [`HashAlgoSecurity`] for more
948 /// details.
949 ///
950 ///
951 /// To express a more nuanced policy, use
952 /// [`StandardPolicy::reject_hash_at`] or
953 /// [`StandardPolicy::reject_hash_property_at`].
954 ///
955 /// [`StandardPolicy::reject_hash_at`]: StandardPolicy::reject_hash_at()
956 /// [`StandardPolicy::reject_hash_property_at`]: StandardPolicy::reject_hash_property_at()
957 pub fn reject_hash(&mut self, h: HashAlgorithm) {
958 self.collision_resistant_hash_algos.set(h, REJECT);
959 self.second_pre_image_resistant_hash_algos.set(h, REJECT);
960 }
961
962 /// Considers all hash algorithms to be insecure.
963 ///
964 /// Causes all hash algorithms to be considered insecure in all
965 /// security contexts.
966 ///
967 /// This is useful when using a good list to determine what
968 /// algorithms are allowed.
969 pub fn reject_all_hashes(&mut self) {
970 self.collision_resistant_hash_algos.reject_all();
971 self.second_pre_image_resistant_hash_algos.reject_all();
972 }
973
974 /// Considers `h` to be insecure in all security contexts starting
975 /// at time `t`.
976 ///
977 /// A cryptographic hash algorithm normally has three security
978 /// properties:
979 ///
980 /// - Pre-image resistance,
981 /// - Second pre-image resistance, and
982 /// - Collision resistance.
983 ///
984 /// This method causes the hash algorithm to be considered unsafe
985 /// in all security contexts starting at time `t`.
986 ///
987 /// See the documentation for [`HashAlgoSecurity`] for more
988 /// details.
989 ///
990 ///
991 /// To express a more nuanced policy, use
992 /// [`StandardPolicy::reject_hash_property_at`].
993 ///
994 /// [`StandardPolicy::reject_hash_property_at`]: StandardPolicy::reject_hash_property_at()
995 pub fn reject_hash_at<T>(&mut self, h: HashAlgorithm, t: T)
996 where T: Into<Option<SystemTime>>,
997 {
998 let t = t.into().and_then(system_time_cutoff_to_timestamp);
999 self.collision_resistant_hash_algos.set(h, t);
1000 self.second_pre_image_resistant_hash_algos.set(h, t);
1001 }
1002
1003 /// Considers `h` to be insecure starting at `t` for the specified
1004 /// security property.
1005 ///
1006 /// A hash algorithm is considered secure if it has all of the
1007 /// following security properties:
1008 ///
1009 /// - Pre-image resistance,
1010 /// - Second pre-image resistance, and
1011 /// - Collision resistance.
1012 ///
1013 /// Some contexts only require a subset of these security
1014 /// properties. Specifically, if an attacker is unable to
1015 /// influence the data that a user signs, then the hash algorithm
1016 /// only needs second pre-image resistance; it doesn't need
1017 /// collision resistance. See the documentation for
1018 /// [`HashAlgoSecurity`] for more details.
1019 ///
1020 ///
1021 /// This method makes it possible to specify different policies
1022 /// depending on the security requirements.
1023 ///
1024 /// A cutoff of `None` means that there is no cutoff and the
1025 /// algorithm has no known vulnerabilities for the specified
1026 /// security policy.
1027 ///
1028 /// As a rule of thumb, collision resistance is easier to attack
1029 /// than second pre-image resistance. And in practice there are
1030 /// practical attacks against several widely-used hash algorithms'
1031 /// collision resistance, but only theoretical attacks against
1032 /// their second pre-image resistance. Nevertheless, once one
1033 /// property of a hash has been compromised, we want to deprecate
1034 /// its use as soon as it is feasible. Unfortunately, because
1035 /// OpenPGP certificates are long-lived, this can take years.
1036 ///
1037 /// Given this, we start rejecting [MD5] in cases where collision
1038 /// resistance is required in 1997 and completely reject it
1039 /// starting in 2004:
1040 ///
1041 /// > In 1996, Dobbertin announced a collision of the
1042 /// > compression function of MD5 (Dobbertin, 1996). While this
1043 /// > was not an attack on the full MD5 hash function, it was
1044 /// > close enough for cryptographers to recommend switching to
1045 /// > a replacement, such as SHA-1 or RIPEMD-160.
1046 /// >
1047 /// > MD5CRK ended shortly after 17 August 2004, when collisions
1048 /// > for the full MD5 were announced by Xiaoyun Wang, Dengguo
1049 /// > Feng, Xuejia Lai, and Hongbo Yu. Their analytical attack
1050 /// > was reported to take only one hour on an IBM p690 cluster.
1051 /// >
1052 /// > (Accessed Feb. 2020.)
1053 ///
1054 /// [MD5]: https://en.wikipedia.org/wiki/MD5
1055 ///
1056 /// And we start rejecting [SHA-1] in cases where collision
1057 /// resistance is required in 2013, and completely reject it in
1058 /// 2023:
1059 ///
1060 /// > Since 2005 SHA-1 has not been considered secure against
1061 /// > well-funded opponents, as of 2010 many organizations have
1062 /// > recommended its replacement. NIST formally deprecated use
1063 /// > of SHA-1 in 2011 and disallowed its use for digital
1064 /// > signatures in 2013. As of 2020, attacks against SHA-1 are
1065 /// > as practical as against MD5; as such, it is recommended to
1066 /// > remove SHA-1 from products as soon as possible and use
1067 /// > instead SHA-256 or SHA-3. Replacing SHA-1 is urgent where
1068 /// > it's used for signatures.
1069 /// >
1070 /// > (Accessed Feb. 2020.)
1071 ///
1072 /// [SHA-1]: https://en.wikipedia.org/wiki/SHA-1
1073 ///
1074 /// There are two main reasons why we have decided to accept SHA-1
1075 /// for so long. First, as of the end of 2020, there are still a
1076 /// large number of [certificates that rely on SHA-1]. Second,
1077 /// Sequoia uses a variant of SHA-1 called [SHA1CD], which is able
1078 /// to detect and *mitigate* the known attacks on SHA-1's
1079 /// collision resistance.
1080 ///
1081 /// [certificates that rely on SHA-1]: https://gitlab.com/sequoia-pgp/sequoia/-/issues/595
1082 /// [SHA1CD]: https://github.com/cr-marcstevens/sha1collisiondetection
1083 ///
1084 /// Since RIPE-MD is structured similarly to SHA-1, we
1085 /// conservatively consider it to be broken as well. But, because
1086 /// it is not widely used in the OpenPGP ecosystem, we don't make
1087 /// provisions for it.
1088 ///
1089 /// Note: if a context indicates that it requires collision
1090 /// resistance, then it requires both collision resistance and
1091 /// second pre-image resistance, and both policies must indicate
1092 /// that the hash algorithm can be safely used at the specified
1093 /// time.
1094 pub fn reject_hash_property_at<T>(&mut self, h: HashAlgorithm,
1095 sec: HashAlgoSecurity, t: T)
1096 where T: Into<Option<SystemTime>>,
1097 {
1098 let t = t.into().and_then(system_time_cutoff_to_timestamp);
1099 match sec {
1100 HashAlgoSecurity::CollisionResistance =>
1101 self.collision_resistant_hash_algos.set(h, t),
1102 HashAlgoSecurity::SecondPreImageResistance =>
1103 self.second_pre_image_resistant_hash_algos.set(h, t),
1104 }
1105 }
1106
1107 /// Returns the cutoff time for the specified hash algorithm and
1108 /// security policy.
1109 pub fn hash_cutoff(&self, h: HashAlgorithm, sec: HashAlgoSecurity)
1110 -> Option<SystemTime>
1111 {
1112 match sec {
1113 HashAlgoSecurity::CollisionResistance =>
1114 self.collision_resistant_hash_algos.cutoff(h),
1115 HashAlgoSecurity::SecondPreImageResistance =>
1116 self.second_pre_image_resistant_hash_algos.cutoff(h),
1117 }.map(|t| t.into())
1118 }
1119
1120 /// Sets the amount of time to continue to accept revocation
1121 /// certificates after a hash algorithm should be rejected.
1122 ///
1123 /// Using [`StandardPolicy::reject_hash_at`], it is possible to
1124 /// indicate when a hash algorithm's security has been
1125 /// compromised, and, as such, should no longer be accepted.
1126 ///
1127 /// [`StandardPolicy::reject_hash_at`]: StandardPolicy::reject_hash_at()
1128 ///
1129 /// Applying this policy to revocation certificates can have some
1130 /// unfortunate side effects. In particular, if a certificate has
1131 /// been revoked using a revocation certificate that relies on a
1132 /// broken hash algorithm, but the most recent self signature uses
1133 /// a strong acceptable hash algorithm, then rejecting the
1134 /// revocation certificate would mean considering the certificate
1135 /// to not be revoked! This would be a catastrophe if the secret
1136 /// key material were compromised.
1137 ///
1138 /// Unfortunately, this happens in practice. A common example
1139 /// appears to be a certificate that has been updated many times,
1140 /// and is then revoked using a revocation certificate that was
1141 /// generated when the certificate was generated.
1142 ///
1143 /// Since the consequences of allowing an invalid revocation
1144 /// certificate are significantly less severe (a denial of
1145 /// service) than ignoring a valid revocation certificate
1146 /// (compromised confidentiality, integrity, and authentication),
1147 /// this option makes it possible to accept revocations using weak
1148 /// hash algorithms longer than other types of signatures.
1149 ///
1150 /// By default, the standard policy accepts revocation
1151 /// certificates seven years after the hash they are using was
1152 /// initially compromised.
1153 pub fn hash_revocation_tolerance<D>(&mut self, d: D)
1154 where D: Into<types::Duration>
1155 {
1156 self.hash_revocation_tolerance = d.into();
1157 }
1158
1159 /// Sets the amount of time to continue to accept revocation
1160 /// certificates after a hash algorithm should be rejected.
1161 ///
1162 /// See [`StandardPolicy::hash_revocation_tolerance`] for details.
1163 ///
1164 /// [`StandardPolicy::hash_revocation_tolerance`]: StandardPolicy::hash_revocation_tolerance()
1165 pub fn get_hash_revocation_tolerance(&self) -> types::Duration {
1166 self.hash_revocation_tolerance
1167 }
1168
1169 /// Always considers `s` to be secure.
1170 pub fn accept_critical_subpacket(&mut self, s: SubpacketTag) {
1171 self.critical_subpackets.set(s, ACCEPT);
1172 }
1173
1174 /// Always considers `s` to be insecure.
1175 pub fn reject_critical_subpacket(&mut self, s: SubpacketTag) {
1176 self.critical_subpackets.set(s, REJECT);
1177 }
1178
1179 /// Considers all critical subpackets to be insecure.
1180 ///
1181 /// This is useful when using a good list to determine what
1182 /// critical subpackets are allowed.
1183 pub fn reject_all_critical_subpackets(&mut self) {
1184 self.critical_subpackets.reject_all();
1185 }
1186
1187 /// Considers `s` to be insecure starting at `cutoff`.
1188 ///
1189 /// A cutoff of `None` means that there is no cutoff and the
1190 /// subpacket has no known vulnerabilities.
1191 ///
1192 /// By default, we accept all critical subpackets that Sequoia
1193 /// understands and honors.
1194 pub fn reject_critical_subpacket_at<C>(&mut self, s: SubpacketTag,
1195 cutoff: C)
1196 where C: Into<Option<SystemTime>>,
1197 {
1198 self.critical_subpackets.set(
1199 s,
1200 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1201 }
1202
1203 /// Returns the cutoff times for the specified subpacket tag.
1204 pub fn critical_subpacket_cutoff(&self, s: SubpacketTag)
1205 -> Option<SystemTime> {
1206 self.critical_subpackets.cutoff(s).map(|t| t.into())
1207 }
1208
1209 /// Sets the list of accepted critical notations.
1210 ///
1211 /// By default, we reject all critical notations.
1212 pub fn good_critical_notations(&mut self, good_list: &'a [&'a str]) {
1213 self.good_critical_notations = good_list;
1214 }
1215
1216 /// Always considers `s` to be secure.
1217 pub fn accept_asymmetric_algo(&mut self, a: AsymmetricAlgorithm) {
1218 self.asymmetric_algos.set(a, ACCEPT);
1219 }
1220
1221 /// Always considers `s` to be insecure.
1222 pub fn reject_asymmetric_algo(&mut self, a: AsymmetricAlgorithm) {
1223 self.asymmetric_algos.set(a, REJECT);
1224 }
1225
1226 /// Considers all asymmetric algorithms to be insecure.
1227 ///
1228 /// This is useful when using a good list to determine what
1229 /// algorithms are allowed.
1230 pub fn reject_all_asymmetric_algos(&mut self) {
1231 self.asymmetric_algos.reject_all();
1232 }
1233
1234 /// Considers `a` to be insecure starting at `cutoff`.
1235 ///
1236 /// A cutoff of `None` means that there is no cutoff and the
1237 /// algorithm has no known vulnerabilities.
1238 ///
1239 /// By default, we reject the use of asymmetric key sizes lower
1240 /// than 2048 bits starting in 2014 following [NIST Special
1241 /// Publication 800-131A].
1242 ///
1243 /// [NIST Special Publication 800-131A]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
1244 pub fn reject_asymmetric_algo_at<C>(&mut self, a: AsymmetricAlgorithm,
1245 cutoff: C)
1246 where C: Into<Option<SystemTime>>,
1247 {
1248 self.asymmetric_algos.set(
1249 a,
1250 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1251 }
1252
1253 /// Returns the cutoff times for the specified hash algorithm.
1254 pub fn asymmetric_algo_cutoff(&self, a: AsymmetricAlgorithm)
1255 -> Option<SystemTime> {
1256 self.asymmetric_algos.cutoff(a).map(|t| t.into())
1257 }
1258
1259 /// Always considers `s` to be secure.
1260 pub fn accept_symmetric_algo(&mut self, s: SymmetricAlgorithm) {
1261 self.symmetric_algos.set(s, ACCEPT);
1262 }
1263
1264 /// Always considers `s` to be insecure.
1265 pub fn reject_symmetric_algo(&mut self, s: SymmetricAlgorithm) {
1266 self.symmetric_algos.set(s, REJECT);
1267 }
1268
1269 /// Considers all symmetric algorithms to be insecure.
1270 ///
1271 /// This is useful when using a good list to determine what
1272 /// algorithms are allowed.
1273 pub fn reject_all_symmetric_algos(&mut self) {
1274 self.symmetric_algos.reject_all();
1275 }
1276
1277 /// Considers `s` to be insecure starting at `cutoff`.
1278 ///
1279 /// A cutoff of `None` means that there is no cutoff and the
1280 /// algorithm has no known vulnerabilities.
1281 ///
1282 /// By default, we reject the use of TripleDES (3DES) starting in
1283 /// the year 2017. While 3DES is still a ["MUST implement"]
1284 /// algorithm in RFC4880, released in 2007, there are plenty of
1285 /// other symmetric algorithms defined in RFC4880, and it says
1286 /// AES-128 SHOULD be implemented. Support for other algorithms
1287 /// in OpenPGP implementations is [excellent]. We chose 2017 as
1288 /// the cutoff year because [NIST deprecated 3DES] that year.
1289 ///
1290 /// ["MUST implement"]: https://www.rfc-editor.org/rfc/rfc9580.html#section-9.3
1291 /// [excellent]: https://tests.sequoia-pgp.org/#Symmetric_Encryption_Algorithm_support
1292 /// [NIST deprecated 3DES]: https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
1293 pub fn reject_symmetric_algo_at<C>(&mut self, s: SymmetricAlgorithm,
1294 cutoff: C)
1295 where C: Into<Option<SystemTime>>,
1296 {
1297 self.symmetric_algos.set(
1298 s,
1299 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1300 }
1301
1302 /// Returns the cutoff times for the specified hash algorithm.
1303 pub fn symmetric_algo_cutoff(&self, s: SymmetricAlgorithm)
1304 -> Option<SystemTime> {
1305 self.symmetric_algos.cutoff(s).map(|t| t.into())
1306 }
1307
1308 /// Always considers `s` to be secure.
1309 ///
1310 /// This feature is [experimental](super#experimental-features).
1311 pub fn accept_aead_algo(&mut self, a: AEADAlgorithm) {
1312 self.aead_algos.set(a, ACCEPT);
1313 }
1314
1315 /// Always considers `s` to be insecure.
1316 ///
1317 /// This feature is [experimental](super#experimental-features).
1318 pub fn reject_aead_algo(&mut self, a: AEADAlgorithm) {
1319 self.aead_algos.set(a, REJECT);
1320 }
1321
1322 /// Considers all AEAD algorithms to be insecure.
1323 ///
1324 /// This is useful when using a good list to determine what
1325 /// algorithms are allowed.
1326 pub fn reject_all_aead_algos(&mut self) {
1327 self.aead_algos.reject_all();
1328 }
1329
1330 /// Considers `a` to be insecure starting at `cutoff`.
1331 ///
1332 /// A cutoff of `None` means that there is no cutoff and the
1333 /// algorithm has no known vulnerabilities.
1334 ///
1335 /// By default, we accept all AEAD modes.
1336 ///
1337 /// This feature is [experimental](super#experimental-features).
1338 pub fn reject_aead_algo_at<C>(&mut self, a: AEADAlgorithm,
1339 cutoff: C)
1340 where C: Into<Option<SystemTime>>,
1341 {
1342 self.aead_algos.set(
1343 a,
1344 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1345 }
1346
1347 /// Returns the cutoff times for the specified hash algorithm.
1348 ///
1349 /// This feature is [experimental](super#experimental-features).
1350 pub fn aead_algo_cutoff(&self, a: AEADAlgorithm)
1351 -> Option<SystemTime> {
1352 self.aead_algos.cutoff(a).map(|t| t.into())
1353 }
1354
1355 /// Always accept the specified version of the packet.
1356 ///
1357 /// If a packet does not have a version field, then its version is
1358 /// `0`.
1359 pub fn accept_packet_tag_version(&mut self, tag: Tag, version: u8) {
1360 self.packet_tags.set_versioned(tag, version, ACCEPT);
1361 }
1362
1363 /// Always accept packets with the given tag independent of their
1364 /// version.
1365 ///
1366 /// If you previously set a cutoff for a specific version of a
1367 /// packet, this overrides that.
1368 pub fn accept_packet_tag(&mut self, tag: Tag) {
1369 self.packet_tags.set_unversioned(tag, ACCEPT);
1370 }
1371
1372 /// Always reject the specified version of the packet.
1373 ///
1374 /// If a packet does not have a version field, then its version is
1375 /// `0`.
1376 pub fn reject_packet_tag_version(&mut self, tag: Tag, version: u8) {
1377 self.packet_tags.set_versioned(tag, version, REJECT);
1378 }
1379
1380 /// Always reject packets with the given tag.
1381 pub fn reject_packet_tag(&mut self, tag: Tag) {
1382 self.packet_tags.set_unversioned(tag, REJECT);
1383 }
1384
1385 /// Considers all packets to be insecure.
1386 ///
1387 /// This is useful when using a good list to determine what
1388 /// packets are allowed.
1389 pub fn reject_all_packet_tags(&mut self) {
1390 self.packet_tags.reject_all();
1391 }
1392
1393 /// Start rejecting the specified version of packets with the
1394 /// given tag at `t`.
1395 ///
1396 /// A cutoff of `None` means that there is no cutoff and the
1397 /// packet has no known vulnerabilities.
1398 ///
1399 /// By default, we consider the *Symmetrically Encrypted Data
1400 /// Packet* (SED) insecure in messages created in the year 2004 or
1401 /// later. The rationale here is that *Symmetrically Encrypted
1402 /// Integrity Protected Data Packet* (SEIP) can be downgraded to
1403 /// SED packets, enabling attacks exploiting the malleability of
1404 /// the CFB stream (see [EFAIL]).
1405 ///
1406 /// [EFAIL]: https://en.wikipedia.org/wiki/EFAIL
1407 ///
1408 /// We chose 2004 as a cutoff-date because [Debian 3.0] (Woody),
1409 /// released on 2002-07-19, was the first release of Debian to
1410 /// ship a version of GnuPG that emitted SEIP packets by default.
1411 /// The first version that emitted SEIP packets was [GnuPG 1.0.3],
1412 /// released on 2000-09-18. Mid 2002 plus an 18 months grace
1413 /// period of people still using older versions is 2004.
1414 ///
1415 /// [Debian 3.0]: https://www.debian.org/News/2002/20020719
1416 /// [GnuPG 1.0.3]: https://lists.gnupg.org/pipermail/gnupg-announce/2000q3/000075.html
1417 pub fn reject_packet_tag_version_at<C>(&mut self, tag: Tag, version: u8,
1418 cutoff: C)
1419 where C: Into<Option<SystemTime>>,
1420 {
1421 self.packet_tags.set_versioned(
1422 tag, version,
1423 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1424 }
1425
1426 /// Start rejecting packets with the given tag at `t`.
1427 ///
1428 /// See the documentation for
1429 /// [`StandardPolicy::reject_packet_tag_version_at`].
1430 pub fn reject_packet_tag_at<C>(&mut self, tag: Tag, cutoff: C)
1431 where C: Into<Option<SystemTime>>,
1432 {
1433 self.packet_tags.set_unversioned(
1434 tag,
1435 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1436 }
1437
1438 /// Returns the cutoff for the specified version of the specified
1439 /// packet tag.
1440 ///
1441 /// This first considers the versioned cutoff list. If there is
1442 /// no entry in the versioned list, it fallsback to the
1443 /// unversioned cutoff list. If there is also no entry there,
1444 /// then it falls back to the default.
1445 pub fn packet_tag_version_cutoff(&self, tag: Tag, version: u8)
1446 -> Option<SystemTime>
1447 {
1448 self.packet_tags.cutoff(tag, version).map(|t| t.into())
1449 }
1450}
1451
1452impl<'a> Policy for StandardPolicy<'a> {
1453 fn signature(&self, sig: &Signature, sec: HashAlgoSecurity) -> Result<()> {
1454 let time = self.time.unwrap_or_else(Timestamp::now);
1455
1456 let rev = matches!(sig.typ(), SignatureType::KeyRevocation
1457 | SignatureType::SubkeyRevocation
1458 | SignatureType::CertificationRevocation);
1459
1460 // Note: collision resistance requires 2nd pre-image resistance.
1461 if sec == HashAlgoSecurity::CollisionResistance {
1462 if rev {
1463 self
1464 .collision_resistant_hash_algos
1465 .check(sig.hash_algo(), time,
1466 Some(self.hash_revocation_tolerance))
1467 .with_context(|| format!(
1468 "Policy rejected revocation signature ({}) requiring \
1469 collision resistance", sig.typ()))?
1470 } else {
1471 self
1472 .collision_resistant_hash_algos
1473 .check(sig.hash_algo(), time, None)
1474 .with_context(|| format!(
1475 "Policy rejected non-revocation signature ({}) requiring \
1476 collision resistance", sig.typ()))?
1477 }
1478 }
1479
1480 if rev {
1481 self
1482 .second_pre_image_resistant_hash_algos
1483 .check(sig.hash_algo(), time,
1484 Some(self.hash_revocation_tolerance))
1485 .with_context(|| format!(
1486 "Policy rejected revocation signature ({}) requiring \
1487 second pre-image resistance", sig.typ()))?
1488 } else {
1489 self
1490 .second_pre_image_resistant_hash_algos
1491 .check(sig.hash_algo(), time, None)
1492 .with_context(|| format!(
1493 "Policy rejected non-revocation signature ({}) requiring \
1494 second pre-image resistance", sig.typ()))?
1495 }
1496
1497 for csp in sig.hashed_area().iter().filter(|sp| sp.critical()) {
1498 self.critical_subpackets.check(csp.tag(), time, None)
1499 .context("Policy rejected critical signature subpacket")?;
1500 if let SubpacketValue::NotationData(n) = csp.value() {
1501 if ! self.good_critical_notations.contains(&n.name()) {
1502 return Err(anyhow::Error::from(
1503 Error::PolicyViolation(
1504 format!("Critical notation {:?}",
1505 n.name()), None))
1506 .context("Policy rejected critical notation"));
1507 }
1508 }
1509 }
1510
1511 Ok(())
1512 }
1513
1514 fn key(&self, ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
1515 -> Result<()>
1516 {
1517 use crate::types::PublicKeyAlgorithm::{self, *};
1518 use crate::crypto::mpi::PublicKey;
1519
1520 #[allow(deprecated)]
1521 let a = match (ka.key().pk_algo(), ka.key().mpis().bits()) {
1522 // RSA.
1523 (RSAEncryptSign, Some(b))
1524 | (RSAEncrypt, Some(b))
1525 | (RSASign, Some(b))
1526 if b < 2048 => AsymmetricAlgorithm::RSA1024,
1527 (RSAEncryptSign, Some(b))
1528 | (RSAEncrypt, Some(b))
1529 | (RSASign, Some(b))
1530 if b < 3072 => AsymmetricAlgorithm::RSA2048,
1531 (RSAEncryptSign, Some(b))
1532 | (RSAEncrypt, Some(b))
1533 | (RSASign, Some(b))
1534 if b < 4096 => AsymmetricAlgorithm::RSA3072,
1535 (RSAEncryptSign, Some(_))
1536 | (RSAEncrypt, Some(_))
1537 | (RSASign, Some(_))
1538 => AsymmetricAlgorithm::RSA4096,
1539 (RSAEncryptSign, None)
1540 | (RSAEncrypt, None)
1541 | (RSASign, None) => unreachable!(),
1542
1543 // ElGamal.
1544 (ElGamalEncryptSign, Some(b))
1545 | (ElGamalEncrypt, Some(b))
1546 if b < 2048 => AsymmetricAlgorithm::ElGamal1024,
1547 (ElGamalEncryptSign, Some(b))
1548 | (ElGamalEncrypt, Some(b))
1549 if b < 3072 => AsymmetricAlgorithm::ElGamal2048,
1550 (ElGamalEncryptSign, Some(b))
1551 | (ElGamalEncrypt, Some(b))
1552 if b < 4096 => AsymmetricAlgorithm::ElGamal3072,
1553 (ElGamalEncryptSign, Some(_))
1554 | (ElGamalEncrypt, Some(_))
1555 => AsymmetricAlgorithm::ElGamal4096,
1556 (ElGamalEncryptSign, None)
1557 | (ElGamalEncrypt, None) => unreachable!(),
1558
1559 // DSA.
1560 (DSA, Some(b))
1561 if b < 2048 => AsymmetricAlgorithm::DSA1024,
1562 (DSA, Some(b))
1563 if b < 3072 => AsymmetricAlgorithm::DSA2048,
1564 (DSA, Some(b))
1565 if b < 4096 => AsymmetricAlgorithm::DSA3072,
1566 (DSA, Some(_))
1567 => AsymmetricAlgorithm::DSA4096,
1568 (DSA, None) => unreachable!(),
1569
1570 // ECC.
1571 (ECDH, _) | (ECDSA, _) | (EdDSA, _) => {
1572 let curve = match ka.key().mpis() {
1573 PublicKey::EdDSA { curve, .. } => curve,
1574 PublicKey::ECDSA { curve, .. } => curve,
1575 PublicKey::ECDH { curve, .. } => curve,
1576 _ => unreachable!(),
1577 };
1578 use crate::types::Curve;
1579 match curve {
1580 Curve::NistP256 => AsymmetricAlgorithm::NistP256,
1581 Curve::NistP384 => AsymmetricAlgorithm::NistP384,
1582 Curve::NistP521 => AsymmetricAlgorithm::NistP521,
1583 Curve::BrainpoolP256 => AsymmetricAlgorithm::BrainpoolP256,
1584 Curve::BrainpoolP384 => AsymmetricAlgorithm::BrainpoolP384,
1585 Curve::BrainpoolP512 => AsymmetricAlgorithm::BrainpoolP512,
1586 Curve::Ed25519 => AsymmetricAlgorithm::EdDSA,
1587 Curve::Cv25519 => AsymmetricAlgorithm::Cv25519,
1588 Curve::Unknown(_) => AsymmetricAlgorithm::Unknown,
1589 }
1590 },
1591
1592 (PublicKeyAlgorithm::X25519, _) => AsymmetricAlgorithm::X25519,
1593 (PublicKeyAlgorithm::X448, _) => AsymmetricAlgorithm::X448,
1594 (PublicKeyAlgorithm::Ed25519, _) => AsymmetricAlgorithm::Ed25519,
1595 (PublicKeyAlgorithm::Ed448, _) => AsymmetricAlgorithm::Ed448,
1596
1597 (PublicKeyAlgorithm::Private(_), _)
1598 | (PublicKeyAlgorithm::Unknown(_), _)
1599 => AsymmetricAlgorithm::Unknown,
1600 };
1601
1602 let time = self.time.unwrap_or_else(Timestamp::now);
1603 self.asymmetric_algos.check(a, time, None)
1604 .context("Policy rejected asymmetric algorithm")?;
1605
1606 // Check ECDH KDF and KEK parameters.
1607 if let PublicKey::ECDH { hash, sym, .. } = ka.key().mpis() {
1608 self.symmetric_algorithm(*sym)
1609 .context("Policy rejected ECDH \
1610 key encapsulation algorithm")?;
1611
1612 // RFC6637 says:
1613 //
1614 // > Refer to Section 13 for the details regarding the
1615 // > choice of the KEK algorithm, which SHOULD be one of
1616 // > three AES algorithms.
1617 //
1618 // Furthermore, GnuPG rejects anything other than AES.
1619 // I checked the SKS dump, and there are no keys out
1620 // there that use a different KEK algorithm.
1621 match sym {
1622 SymmetricAlgorithm::AES128
1623 | SymmetricAlgorithm::AES192
1624 | SymmetricAlgorithm::AES256
1625 => (), // Good.
1626 _ =>
1627 return Err(anyhow::Error::from(
1628 Error::PolicyViolation(sym.to_string(), None))
1629 .context("Policy rejected ECDH \
1630 key encapsulation algorithm")),
1631 }
1632
1633 // For use in a KDF the hash algorithm does not
1634 // necessarily be collision resistant, but this is the
1635 // weakest property that we otherwise care for, so
1636 // (somewhat arbitrarily) use this.
1637 self
1638 .collision_resistant_hash_algos
1639 .check(*hash, time, None)
1640 .context("Policy rejected ECDH \
1641 key derivation hash function")?;
1642 }
1643
1644 Ok(())
1645 }
1646
1647 fn packet(&self, packet: &Packet) -> Result<()> {
1648 let time = self.time.unwrap_or_else(Timestamp::now);
1649 self.packet_tags
1650 .check(
1651 packet.tag(),
1652 packet.version().unwrap_or(0),
1653 time, None)
1654 .context("Policy rejected packet type")
1655 }
1656
1657 fn symmetric_algorithm(&self, algo: SymmetricAlgorithm) -> Result<()> {
1658 let time = self.time.unwrap_or_else(Timestamp::now);
1659 self.symmetric_algos.check(algo, time, None)
1660 .context("Policy rejected symmetric encryption algorithm")
1661 }
1662
1663 fn aead_algorithm(&self, algo: AEADAlgorithm) -> Result<()> {
1664 let time = self.time.unwrap_or_else(Timestamp::now);
1665 self.aead_algos.check(algo, time, None)
1666 .context("Policy rejected authenticated encryption algorithm")
1667 }
1668}
1669
1670/// Asymmetric encryption algorithms.
1671///
1672/// This type is for refining the [`StandardPolicy`] with respect to
1673/// asymmetric algorithms. In contrast to [`PublicKeyAlgorithm`], it
1674/// does not concern itself with the use (encryption or signing), and
1675/// it does include key sizes (if applicable) and elliptic curves.
1676///
1677/// [`PublicKeyAlgorithm`]: crate::types::PublicKeyAlgorithm
1678///
1679/// Key sizes put into are buckets, rounding down to the nearest
1680/// bucket. For example, a 3253-bit RSA key is categorized as
1681/// `RSA3072`.
1682#[non_exhaustive]
1683#[derive(Clone, Debug, PartialEq, Eq, Copy)]
1684pub enum AsymmetricAlgorithm {
1685 /// RSA with key sizes up to 2048-1 bit.
1686 RSA1024,
1687 /// RSA with key sizes up to 3072-1 bit.
1688 RSA2048,
1689 /// RSA with key sizes up to 4096-1 bit.
1690 RSA3072,
1691 /// RSA with key sizes larger or equal to 4096 bit.
1692 RSA4096,
1693 /// ElGamal with key sizes up to 2048-1 bit.
1694 ElGamal1024,
1695 /// ElGamal with key sizes up to 3072-1 bit.
1696 ElGamal2048,
1697 /// ElGamal with key sizes up to 4096-1 bit.
1698 ElGamal3072,
1699 /// ElGamal with key sizes larger or equal to 4096 bit.
1700 ElGamal4096,
1701 /// DSA with key sizes up to 2048-1 bit.
1702 DSA1024,
1703 /// DSA with key sizes up to 3072-1 bit.
1704 DSA2048,
1705 /// DSA with key sizes up to 4096-1 bit.
1706 DSA3072,
1707 /// DSA with key sizes larger or equal to 4096 bit.
1708 DSA4096,
1709 /// NIST curve P-256.
1710 NistP256,
1711 /// NIST curve P-384.
1712 NistP384,
1713 /// NIST curve P-521.
1714 NistP521,
1715 /// brainpoolP256r1.
1716 BrainpoolP256,
1717 /// brainpoolP384r1.
1718 BrainpoolP384,
1719 /// brainpoolP512r1.
1720 BrainpoolP512,
1721 /// D.J. Bernstein's Curve25519.
1722 Cv25519,
1723 /// X25519 (RFC 7748).
1724 X25519,
1725 /// X448 (RFC 7748).
1726 X448,
1727 /// Ed25519 (RFC 8032).
1728 Ed25519,
1729 /// Ed448 (RFC 8032).
1730 Ed448,
1731 /// EdDSA (v4 Ed25519Legacy)
1732 EdDSA,
1733 /// Unknown algorithm.
1734 Unknown,
1735}
1736assert_send_and_sync!(AsymmetricAlgorithm);
1737
1738const ASYMMETRIC_ALGORITHM_VARIANTS: [AsymmetricAlgorithm; 24] = [
1739 AsymmetricAlgorithm::RSA1024,
1740 AsymmetricAlgorithm::RSA2048,
1741 AsymmetricAlgorithm::RSA3072,
1742 AsymmetricAlgorithm::RSA4096,
1743 AsymmetricAlgorithm::ElGamal1024,
1744 AsymmetricAlgorithm::ElGamal2048,
1745 AsymmetricAlgorithm::ElGamal3072,
1746 AsymmetricAlgorithm::ElGamal4096,
1747 AsymmetricAlgorithm::DSA1024,
1748 AsymmetricAlgorithm::DSA2048,
1749 AsymmetricAlgorithm::DSA3072,
1750 AsymmetricAlgorithm::DSA4096,
1751 AsymmetricAlgorithm::NistP256,
1752 AsymmetricAlgorithm::NistP384,
1753 AsymmetricAlgorithm::NistP521,
1754 AsymmetricAlgorithm::BrainpoolP256,
1755 AsymmetricAlgorithm::BrainpoolP384,
1756 AsymmetricAlgorithm::BrainpoolP512,
1757 AsymmetricAlgorithm::Cv25519,
1758 AsymmetricAlgorithm::X25519,
1759 AsymmetricAlgorithm::X448,
1760 AsymmetricAlgorithm::Ed25519,
1761 AsymmetricAlgorithm::Ed448,
1762 AsymmetricAlgorithm::EdDSA,
1763];
1764
1765impl AsymmetricAlgorithm {
1766 /// Returns an iterator over all valid variants.
1767 ///
1768 /// Returns an iterator over all known variants. This does not
1769 /// include the [`AsymmetricAlgorithm::Unknown`] variant.
1770 pub fn variants() -> impl Iterator<Item=AsymmetricAlgorithm> {
1771 ASYMMETRIC_ALGORITHM_VARIANTS.iter().cloned()
1772 }
1773}
1774
1775impl std::fmt::Display for AsymmetricAlgorithm {
1776 fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
1777 write!(f, "{:?}", self)
1778 }
1779}
1780
1781impl From<AsymmetricAlgorithm> for u8 {
1782 fn from(a: AsymmetricAlgorithm) -> Self {
1783 use self::AsymmetricAlgorithm::*;
1784 match a {
1785 RSA1024 => 0,
1786 RSA2048 => 1,
1787 RSA3072 => 2,
1788 RSA4096 => 3,
1789 ElGamal1024 => 4,
1790 ElGamal2048 => 5,
1791 ElGamal3072 => 6,
1792 ElGamal4096 => 7,
1793 DSA1024 => 8,
1794 DSA2048 => 9,
1795 DSA3072 => 10,
1796 DSA4096 => 11,
1797 NistP256 => 12,
1798 NistP384 => 13,
1799 NistP521 => 14,
1800 BrainpoolP256 => 15,
1801 BrainpoolP384 => 16,
1802 BrainpoolP512 => 17,
1803 Cv25519 => 18,
1804 X25519 => 19,
1805 X448 => 20,
1806 Ed25519 => 21,
1807 Ed448 => 22,
1808 EdDSA => 23,
1809 Unknown => 255,
1810 }
1811 }
1812}
1813
1814/// The Null Policy.
1815///
1816/// Danger, here be dragons.
1817///
1818/// This policy imposes no additional policy, i.e., accepts
1819/// everything. This includes the MD5 hash algorithm, and SED
1820/// packets.
1821///
1822/// The Null policy has a limited set of valid use cases, e.g., packet statistics.
1823/// For other purposes, it is more advisable to use the [`StandardPolicy`] and
1824/// adjust it by selectively allowing items considered insecure by default, e.g.,
1825/// via [`StandardPolicy::accept_hash`] function. If this is still too inflexible
1826/// consider creating a specialized policy based on the [`StandardPolicy`] as
1827/// [the example for `StandardPolicy`] illustrates.
1828///
1829/// [`StandardPolicy::accept_hash`]: StandardPolicy::accept_hash()
1830/// [the example for `StandardPolicy`]: StandardPolicy#examples
1831#[derive(Debug)]
1832pub struct NullPolicy {
1833}
1834
1835assert_send_and_sync!(NullPolicy);
1836
1837impl NullPolicy {
1838 /// Instantiates a new `NullPolicy`.
1839 pub const unsafe fn new() -> Self {
1840 NullPolicy {}
1841 }
1842}
1843
1844impl Policy for NullPolicy {
1845 fn signature(&self, _sig: &Signature, _sec: HashAlgoSecurity) -> Result<()> {
1846 Ok(())
1847 }
1848
1849 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
1850 -> Result<()>
1851 {
1852 Ok(())
1853 }
1854
1855 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
1856 Ok(())
1857 }
1858
1859 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
1860 Ok(())
1861 }
1862
1863 fn packet(&self, _packet: &Packet) -> Result<()> {
1864 Ok(())
1865 }
1866
1867}
1868
1869#[cfg(test)]
1870mod test {
1871 use std::io::Read;
1872 use std::time::Duration;
1873
1874 use super::*;
1875 use crate::Error;
1876 use crate::crypto::SessionKey;
1877 use crate::packet::key::Key4;
1878 use crate::packet::signature;
1879 use crate::packet::{PKESK, SKESK};
1880 use crate::parse::Parse;
1881 use crate::parse::stream::DecryptionHelper;
1882 use crate::parse::stream::DecryptorBuilder;
1883 use crate::parse::stream::DetachedVerifierBuilder;
1884 use crate::parse::stream::MessageLayer;
1885 use crate::parse::stream::MessageStructure;
1886 use crate::parse::stream::VerificationHelper;
1887 use crate::parse::stream::VerifierBuilder;
1888 use crate::policy::StandardPolicy as P;
1889 use crate::types::Curve;
1890 use crate::types::KeyFlags;
1891 use crate::types::SymmetricAlgorithm;
1892
1893 // Test that the constructor is const.
1894 const _A_STANDARD_POLICY: StandardPolicy = StandardPolicy::new();
1895
1896 #[test]
1897 fn binding_signature() {
1898 let p = &P::new();
1899
1900 // A primary and two subkeys.
1901 let (cert, _) = CertBuilder::new()
1902 .add_signing_subkey()
1903 .add_transport_encryption_subkey()
1904 .generate().unwrap();
1905
1906 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
1907
1908 // Reject all direct key signatures.
1909 #[derive(Debug)]
1910 struct NoDirectKeySigs;
1911 impl Policy for NoDirectKeySigs {
1912 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
1913 -> Result<()>
1914 {
1915 use crate::types::SignatureType::*;
1916
1917 match sig.typ() {
1918 DirectKey => Err(anyhow::anyhow!("direct key!")),
1919 _ => Ok(()),
1920 }
1921 }
1922
1923 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
1924 -> Result<()>
1925 {
1926 Ok(())
1927 }
1928
1929 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
1930 Ok(())
1931 }
1932
1933 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
1934 Ok(())
1935 }
1936
1937 fn packet(&self, _packet: &Packet) -> Result<()> {
1938 Ok(())
1939 }
1940 }
1941
1942 let p = &NoDirectKeySigs {};
1943 assert_eq!(cert.keys().with_policy(p, None).count(), 0);
1944
1945 // Reject all subkey signatures.
1946 #[derive(Debug)]
1947 struct NoSubkeySigs;
1948 impl Policy for NoSubkeySigs {
1949 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
1950 -> Result<()>
1951 {
1952 use crate::types::SignatureType::*;
1953
1954 match sig.typ() {
1955 SubkeyBinding => Err(anyhow::anyhow!("subkey signature!")),
1956 _ => Ok(()),
1957 }
1958 }
1959
1960 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
1961 -> Result<()>
1962 {
1963 Ok(())
1964 }
1965
1966 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
1967 Ok(())
1968 }
1969
1970 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
1971 Ok(())
1972 }
1973
1974 fn packet(&self, _packet: &Packet) -> Result<()> {
1975 Ok(())
1976 }
1977 }
1978
1979 let p = &NoSubkeySigs {};
1980 assert_eq!(cert.keys().with_policy(p, None).count(), 1);
1981 }
1982
1983 #[test]
1984 fn revocation() -> Result<()> {
1985 use crate::cert::prelude::*;
1986 use crate::types::SignatureType;
1987 use crate::types::ReasonForRevocation;
1988
1989 let p = &P::new();
1990
1991 // A primary and two subkeys.
1992 let (cert, _) = CertBuilder::new()
1993 .add_userid("Alice")
1994 .add_signing_subkey()
1995 .add_transport_encryption_subkey()
1996 .generate()?;
1997
1998 // Make sure we have all keys and all user ids.
1999 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2000 assert_eq!(cert.userids().with_policy(p, None).count(), 1);
2001
2002 // Reject all user id signatures.
2003 #[derive(Debug)]
2004 struct NoPositiveCertifications;
2005 impl Policy for NoPositiveCertifications {
2006 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2007 -> Result<()>
2008 {
2009 use crate::types::SignatureType::*;
2010 match sig.typ() {
2011 PositiveCertification =>
2012 Err(anyhow::anyhow!("positive certification!")),
2013 _ => Ok(()),
2014 }
2015 }
2016
2017 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2018 -> Result<()>
2019 {
2020 Ok(())
2021 }
2022
2023 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2024 Ok(())
2025 }
2026
2027 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2028 Ok(())
2029 }
2030
2031 fn packet(&self, _packet: &Packet) -> Result<()> {
2032 Ok(())
2033 }
2034 }
2035 let p = &NoPositiveCertifications {};
2036 assert_eq!(cert.userids().with_policy(p, None).count(), 0);
2037
2038
2039 // Revoke it.
2040 let mut keypair = cert.primary_key().key().clone()
2041 .parts_into_secret()?.into_keypair()?;
2042 let ca = cert.userids().next().unwrap();
2043
2044 // Generate the revocation for the first and only UserID.
2045 let revocation =
2046 UserIDRevocationBuilder::new()
2047 .set_reason_for_revocation(
2048 ReasonForRevocation::KeyRetired,
2049 b"Left example.org.")?
2050 .build(&mut keypair, &cert, ca.userid(), None)?;
2051 assert_eq!(revocation.typ(), SignatureType::CertificationRevocation);
2052
2053 // Now merge the revocation signature into the Cert.
2054 let cert = cert.insert_packets(revocation.clone())?.0;
2055
2056 // Check that it is revoked.
2057 assert_eq!(cert.userids().with_policy(p, None).revoked(false).count(), 0);
2058
2059 // Reject all user id signatures.
2060 #[derive(Debug)]
2061 struct NoCertificationRevocation;
2062 impl Policy for NoCertificationRevocation {
2063 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2064 -> Result<()>
2065 {
2066 use crate::types::SignatureType::*;
2067 match sig.typ() {
2068 CertificationRevocation =>
2069 Err(anyhow::anyhow!("certification certification!")),
2070 _ => Ok(()),
2071 }
2072 }
2073
2074 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2075 -> Result<()>
2076 {
2077 Ok(())
2078 }
2079
2080 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2081 Ok(())
2082 }
2083
2084 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2085 Ok(())
2086 }
2087
2088 fn packet(&self, _packet: &Packet) -> Result<()> {
2089 Ok(())
2090 }
2091 }
2092 let p = &NoCertificationRevocation {};
2093
2094 // Check that the user id is no longer revoked.
2095 assert_eq!(cert.userids().with_policy(p, None).revoked(false).count(), 1);
2096
2097
2098 // Generate the revocation for the first subkey.
2099 let subkey = cert.keys().subkeys().next().unwrap();
2100 let revocation =
2101 SubkeyRevocationBuilder::new()
2102 .set_reason_for_revocation(
2103 ReasonForRevocation::KeyRetired,
2104 b"Smells funny.").unwrap()
2105 .build(&mut keypair, &cert, subkey.key(), None)?;
2106 assert_eq!(revocation.typ(), SignatureType::SubkeyRevocation);
2107
2108 // Now merge the revocation signature into the Cert.
2109 assert_eq!(cert.keys().with_policy(p, None).revoked(false).count(), 3);
2110 let cert = cert.insert_packets(revocation.clone())?.0;
2111 assert_eq!(cert.keys().with_policy(p, None).revoked(false).count(), 2);
2112
2113 // Reject all subkey revocations.
2114 #[derive(Debug)]
2115 struct NoSubkeyRevocation;
2116 impl Policy for NoSubkeyRevocation {
2117 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2118 -> Result<()>
2119 {
2120 use crate::types::SignatureType::*;
2121 match sig.typ() {
2122 SubkeyRevocation =>
2123 Err(anyhow::anyhow!("subkey revocation!")),
2124 _ => Ok(()),
2125 }
2126 }
2127
2128 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2129 -> Result<()>
2130 {
2131 Ok(())
2132 }
2133
2134 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2135 Ok(())
2136 }
2137
2138 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2139 Ok(())
2140 }
2141
2142 fn packet(&self, _packet: &Packet) -> Result<()> {
2143 Ok(())
2144 }
2145 }
2146 let p = &NoSubkeyRevocation {};
2147
2148 // Check that the key is no longer revoked.
2149 assert_eq!(cert.keys().with_policy(p, None).revoked(false).count(), 3);
2150
2151 Ok(())
2152 }
2153
2154
2155 #[test]
2156 fn binary_signature() -> Result<()> {
2157 #[derive(PartialEq, Debug)]
2158 struct VHelper {
2159 good: usize,
2160 errors: usize,
2161 keys: Vec<Cert>,
2162 }
2163
2164 impl VHelper {
2165 fn new(keys: Vec<Cert>) -> Self {
2166 VHelper {
2167 good: 0,
2168 errors: 0,
2169 keys,
2170 }
2171 }
2172 }
2173
2174 impl VerificationHelper for VHelper {
2175 fn get_certs(&mut self, _ids: &[crate::KeyHandle])
2176 -> Result<Vec<Cert>>
2177 {
2178 Ok(self.keys.clone())
2179 }
2180
2181 fn check(&mut self, structure: MessageStructure) -> Result<()>
2182 {
2183 for layer in structure {
2184 match layer {
2185 MessageLayer::SignatureGroup { ref results } =>
2186 for result in results {
2187 eprintln!("result: {:?}", result);
2188 match result {
2189 Ok(_) => self.good += 1,
2190 Err(_) => self.errors += 1,
2191 }
2192 }
2193 MessageLayer::Compression { .. } => (),
2194 _ => unreachable!(),
2195 }
2196 }
2197
2198 Ok(())
2199 }
2200 }
2201
2202 impl DecryptionHelper for VHelper {
2203 fn decrypt(&mut self, _: &[PKESK], _: &[SKESK],
2204 _: Option<SymmetricAlgorithm>,
2205 _: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool)
2206 -> Result<Option<Cert>>
2207 {
2208 unreachable!();
2209 }
2210 }
2211
2212 // Reject all data (binary) signatures.
2213 #[derive(Debug)]
2214 struct NoBinarySigantures;
2215 impl Policy for NoBinarySigantures {
2216 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2217 -> Result<()>
2218 {
2219 use crate::types::SignatureType::*;
2220 eprintln!("{:?}", sig.typ());
2221 match sig.typ() {
2222 Binary =>
2223 Err(anyhow::anyhow!("binary!")),
2224 _ => Ok(()),
2225 }
2226 }
2227
2228 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2229 -> Result<()>
2230 {
2231 Ok(())
2232 }
2233
2234 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2235 Ok(())
2236 }
2237
2238 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2239 Ok(())
2240 }
2241
2242 fn packet(&self, _packet: &Packet) -> Result<()> {
2243 Ok(())
2244 }
2245 }
2246 let no_binary_signatures = &NoBinarySigantures {};
2247
2248 // Reject all subkey signatures.
2249 #[derive(Debug)]
2250 struct NoSubkeySigs;
2251 impl Policy for NoSubkeySigs {
2252 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2253 -> Result<()>
2254 {
2255 use crate::types::SignatureType::*;
2256
2257 match sig.typ() {
2258 SubkeyBinding => Err(anyhow::anyhow!("subkey signature!")),
2259 _ => Ok(()),
2260 }
2261 }
2262
2263 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2264 -> Result<()>
2265 {
2266 Ok(())
2267 }
2268
2269 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2270 Ok(())
2271 }
2272
2273 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2274 Ok(())
2275 }
2276
2277 fn packet(&self, _packet: &Packet) -> Result<()> {
2278 Ok(())
2279 }
2280 }
2281 let no_subkey_signatures = &NoSubkeySigs {};
2282
2283 let standard = &P::new();
2284
2285 let keys = [
2286 "neal.pgp",
2287 ].iter()
2288 .map(|f| Cert::from_bytes(crate::tests::key(f)).unwrap())
2289 .collect::<Vec<_>>();
2290 let data = "messages/signed-1.pgp";
2291
2292 let reference = crate::tests::manifesto();
2293
2294
2295
2296 // Test Verifier.
2297
2298 // Standard policy => ok.
2299 let h = VHelper::new(keys.clone());
2300 let mut v = VerifierBuilder::from_bytes(crate::tests::file(data))?
2301 .with_policy(standard, crate::frozen_time(), h)?;
2302 assert!(v.message_processed());
2303 assert_eq!(v.helper_ref().good, 1);
2304 assert_eq!(v.helper_ref().errors, 0);
2305
2306 let mut content = Vec::new();
2307 v.read_to_end(&mut content).unwrap();
2308 assert_eq!(reference.len(), content.len());
2309 assert_eq!(reference, &content[..]);
2310
2311
2312 // Kill the subkey.
2313 let h = VHelper::new(keys.clone());
2314 let mut v = VerifierBuilder::from_bytes(crate::tests::file(data))?
2315 .with_policy(no_subkey_signatures, crate::frozen_time(), h)?;
2316 assert!(v.message_processed());
2317 assert_eq!(v.helper_ref().good, 0);
2318 assert_eq!(v.helper_ref().errors, 1);
2319
2320 let mut content = Vec::new();
2321 v.read_to_end(&mut content).unwrap();
2322 assert_eq!(reference.len(), content.len());
2323 assert_eq!(reference, &content[..]);
2324
2325
2326 // Kill the data signature.
2327 let h = VHelper::new(keys.clone());
2328 let mut v = VerifierBuilder::from_bytes(crate::tests::file(data))?
2329 .with_policy(no_binary_signatures, crate::frozen_time(), h)?;
2330 assert!(v.message_processed());
2331 assert_eq!(v.helper_ref().good, 0);
2332 assert_eq!(v.helper_ref().errors, 1);
2333
2334 let mut content = Vec::new();
2335 v.read_to_end(&mut content).unwrap();
2336 assert_eq!(reference.len(), content.len());
2337 assert_eq!(reference, &content[..]);
2338
2339
2340
2341 // Test Decryptor.
2342
2343 // Standard policy.
2344 let h = VHelper::new(keys.clone());
2345 let mut v = DecryptorBuilder::from_bytes(crate::tests::file(data))?
2346 .with_policy(standard, crate::frozen_time(), h)?;
2347 assert!(v.message_processed());
2348 assert_eq!(v.helper_ref().good, 1);
2349 assert_eq!(v.helper_ref().errors, 0);
2350
2351 let mut content = Vec::new();
2352 v.read_to_end(&mut content).unwrap();
2353 assert_eq!(reference.len(), content.len());
2354 assert_eq!(reference, &content[..]);
2355
2356
2357 // Kill the subkey.
2358 let h = VHelper::new(keys.clone());
2359 let mut v = DecryptorBuilder::from_bytes(crate::tests::file(data))?
2360 .with_policy(no_subkey_signatures, crate::frozen_time(), h)?;
2361 assert!(v.message_processed());
2362 assert_eq!(v.helper_ref().good, 0);
2363 assert_eq!(v.helper_ref().errors, 1);
2364
2365 let mut content = Vec::new();
2366 v.read_to_end(&mut content).unwrap();
2367 assert_eq!(reference.len(), content.len());
2368 assert_eq!(reference, &content[..]);
2369
2370
2371 // Kill the data signature.
2372 let h = VHelper::new(keys.clone());
2373 let mut v = DecryptorBuilder::from_bytes(crate::tests::file(data))?
2374 .with_policy(no_binary_signatures, crate::frozen_time(), h)?;
2375 assert!(v.message_processed());
2376 assert_eq!(v.helper_ref().good, 0);
2377 assert_eq!(v.helper_ref().errors, 1);
2378
2379 let mut content = Vec::new();
2380 v.read_to_end(&mut content).unwrap();
2381 assert_eq!(reference.len(), content.len());
2382 assert_eq!(reference, &content[..]);
2383 Ok(())
2384 }
2385
2386 #[test]
2387 fn hash_algo() -> Result<()> {
2388 use crate::types::RevocationStatus;
2389 use crate::types::ReasonForRevocation;
2390
2391 const SECS_IN_YEAR : u64 = 365 * 24 * 60 * 60;
2392
2393 // A `const fn` is only guaranteed to be evaluated at compile
2394 // time if the result is assigned to a `const` variable. Make
2395 // sure that works.
2396 const DEFAULT : StandardPolicy = StandardPolicy::new();
2397
2398 let (cert, _) = CertBuilder::new()
2399 .add_userid("Alice")
2400 .generate()?;
2401
2402 let algo = cert.primary_key()
2403 .binding_signature(&DEFAULT, None).unwrap().hash_algo();
2404
2405 eprintln!("{:?}", algo);
2406
2407 // Create a revoked version.
2408 let mut keypair = cert.primary_key().key().clone()
2409 .parts_into_secret()?.into_keypair()?;
2410 let rev = cert.revoke(
2411 &mut keypair,
2412 ReasonForRevocation::KeyCompromised,
2413 b"It was the maid :/")?;
2414 let cert_revoked = cert.clone().insert_packets(rev)?.0;
2415
2416 match cert_revoked.revocation_status(&DEFAULT, None) {
2417 RevocationStatus::Revoked(sigs) => {
2418 assert_eq!(sigs.len(), 1);
2419 assert_eq!(sigs[0].hash_algo(), algo);
2420 }
2421 _ => panic!("not revoked"),
2422 }
2423
2424
2425 // Reject the hash algorithm unconditionally.
2426 let mut reject : StandardPolicy = StandardPolicy::new();
2427 reject.reject_hash(algo);
2428 assert!(cert.primary_key()
2429 .binding_signature(&reject, None).is_err());
2430 assert_match!(RevocationStatus::NotAsFarAsWeKnow
2431 = cert_revoked.revocation_status(&reject, None));
2432
2433 // Reject the hash algorithm next year.
2434 let mut reject : StandardPolicy = StandardPolicy::new();
2435 reject.reject_hash_at(
2436 algo,
2437 crate::now().checked_add(Duration::from_secs(SECS_IN_YEAR)));
2438 reject.hash_revocation_tolerance(0);
2439 cert.primary_key().binding_signature(&reject, None)?;
2440 assert_match!(RevocationStatus::Revoked(_)
2441 = cert_revoked.revocation_status(&reject, None));
2442
2443 // Reject the hash algorithm last year.
2444 let mut reject : StandardPolicy = StandardPolicy::new();
2445 reject.reject_hash_at(
2446 algo,
2447 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2448 reject.hash_revocation_tolerance(0);
2449 assert!(cert.primary_key()
2450 .binding_signature(&reject, None).is_err());
2451 assert_match!(RevocationStatus::NotAsFarAsWeKnow
2452 = cert_revoked.revocation_status(&reject, None));
2453
2454 // Reject the hash algorithm for normal signatures last year,
2455 // and revocations next year.
2456 let mut reject : StandardPolicy = StandardPolicy::new();
2457 reject.reject_hash_at(
2458 algo,
2459 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2460 reject.hash_revocation_tolerance(2 * SECS_IN_YEAR as u32);
2461 assert!(cert.primary_key()
2462 .binding_signature(&reject, None).is_err());
2463 assert_match!(RevocationStatus::Revoked(_)
2464 = cert_revoked.revocation_status(&reject, None));
2465
2466 // Accept algo, but reject the algos with id - 1 and id + 1.
2467 let mut reject : StandardPolicy = StandardPolicy::new();
2468 let algo_u8 : u8 = algo.into();
2469 assert!(algo_u8 != 0u8);
2470 reject.reject_hash_at(
2471 (algo_u8 - 1).into(),
2472 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2473 reject.reject_hash_at(
2474 (algo_u8 + 1).into(),
2475 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2476 reject.hash_revocation_tolerance(0);
2477 cert.primary_key().binding_signature(&reject, None)?;
2478 assert_match!(RevocationStatus::Revoked(_)
2479 = cert_revoked.revocation_status(&reject, None));
2480
2481 // Reject the hash algorithm since before the Unix epoch.
2482 // Since the earliest representable time using a Timestamp is
2483 // the Unix epoch, this is equivalent to rejecting everything.
2484 let mut reject : StandardPolicy = StandardPolicy::new();
2485 reject.reject_hash_at(
2486 algo,
2487 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2488 reject.hash_revocation_tolerance(0);
2489 assert!(cert.primary_key()
2490 .binding_signature(&reject, None).is_err());
2491 assert_match!(RevocationStatus::NotAsFarAsWeKnow
2492 = cert_revoked.revocation_status(&reject, None));
2493
2494 // Reject the hash algorithm after the end of time that is
2495 // representable by a Timestamp (2106). This should accept
2496 // everything.
2497 let mut reject : StandardPolicy = StandardPolicy::new();
2498 reject.reject_hash_at(
2499 algo,
2500 SystemTime::UNIX_EPOCH.checked_add(Duration::from_secs(500 * SECS_IN_YEAR)));
2501 reject.hash_revocation_tolerance(0);
2502 cert.primary_key().binding_signature(&reject, None)?;
2503 assert_match!(RevocationStatus::Revoked(_)
2504 = cert_revoked.revocation_status(&reject, None));
2505
2506 Ok(())
2507 }
2508
2509 #[test]
2510 fn key_verify_self_signature() -> Result<()> {
2511 let p = &P::new();
2512
2513 #[derive(Debug)]
2514 struct NoRsa;
2515 impl Policy for NoRsa {
2516 fn key(&self, ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2517 -> Result<()>
2518 {
2519 use crate::types::PublicKeyAlgorithm::*;
2520
2521 eprintln!("algo: {}", ka.key().pk_algo());
2522 if ka.key().pk_algo() == RSAEncryptSign {
2523 Err(anyhow::anyhow!("RSA!"))
2524 } else {
2525 Ok(())
2526 }
2527 }
2528
2529 fn signature(&self, _sig: &Signature, _sec: HashAlgoSecurity) -> Result<()> {
2530 Ok(())
2531 }
2532
2533 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2534 Ok(())
2535 }
2536
2537 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2538 Ok(())
2539 }
2540
2541 fn packet(&self, _packet: &Packet) -> Result<()> {
2542 Ok(())
2543 }
2544 }
2545 let norsa = &NoRsa {};
2546
2547 // Generate a certificate with an RSA primary and two RSA
2548 // subkeys.
2549 let (cert,_) = CertBuilder::new()
2550 .set_cipher_suite(CipherSuite::RSA2k)
2551 .add_signing_subkey()
2552 .add_signing_subkey()
2553 .generate()?;
2554 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2555 assert_eq!(cert.keys().with_policy(norsa, None).count(), 0);
2556 assert!(cert.primary_key().with_policy(p, None).is_ok());
2557 assert!(cert.primary_key().with_policy(norsa, None).is_err());
2558
2559 // Generate a certificate with an ECC primary, an ECC subkey,
2560 // and an RSA subkey.
2561 let (cert,_) = CertBuilder::new()
2562 .set_cipher_suite(CipherSuite::Cv25519)
2563 .add_signing_subkey()
2564 .generate()?;
2565
2566 let pk = cert.primary_key().key().parts_as_secret()?;
2567 let subkey: key::SecretSubkey
2568 = Key4::generate_rsa(2048)?.into();
2569 let binding = signature::SignatureBuilder::new(SignatureType::SubkeyBinding)
2570 .set_key_flags(KeyFlags::empty().set_transport_encryption())?
2571 .sign_subkey_binding(&mut pk.clone().into_keypair()?,
2572 pk.parts_as_public(), &subkey)?;
2573
2574 let cert = cert.insert_packets(
2575 vec![ Packet::from(subkey), binding.into() ])?.0;
2576
2577 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2578 assert_eq!(cert.keys().with_policy(norsa, None).count(), 2);
2579 assert!(cert.primary_key().with_policy(p, None).is_ok());
2580 assert!(cert.primary_key().with_policy(norsa, None).is_ok());
2581
2582 // Generate a certificate with an RSA primary, an RSA subkey,
2583 // and an ECC subkey.
2584 let (cert,_) = CertBuilder::new()
2585 .set_cipher_suite(CipherSuite::RSA2k)
2586 .add_signing_subkey()
2587 .generate()?;
2588
2589 let pk = cert.primary_key().key().parts_as_secret()?;
2590 let subkey: key::SecretSubkey
2591 = key::Key6::generate_ecc(true, Curve::Ed25519)?.into();
2592 let binding = signature::SignatureBuilder::new(SignatureType::SubkeyBinding)
2593 .set_key_flags(KeyFlags::empty().set_transport_encryption())?
2594 .sign_subkey_binding(&mut pk.clone().into_keypair()?,
2595 pk.parts_as_public(), &subkey)?;
2596
2597 let cert = cert.insert_packets(
2598 vec![ Packet::from(subkey), binding.into() ])?.0;
2599
2600 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2601 assert_eq!(cert.keys().with_policy(norsa, None).count(), 0);
2602 assert!(cert.primary_key().with_policy(p, None).is_ok());
2603 assert!(cert.primary_key().with_policy(norsa, None).is_err());
2604
2605 // Generate a certificate with an ECC primary and two ECC
2606 // subkeys.
2607 let (cert,_) = CertBuilder::new()
2608 .set_cipher_suite(CipherSuite::Cv25519)
2609 .add_signing_subkey()
2610 .add_signing_subkey()
2611 .generate()?;
2612 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2613 assert_eq!(cert.keys().with_policy(norsa, None).count(), 3);
2614 assert!(cert.primary_key().with_policy(p, None).is_ok());
2615 assert!(cert.primary_key().with_policy(norsa, None).is_ok());
2616
2617 Ok(())
2618 }
2619
2620 #[test]
2621 fn key_verify_binary_signature() -> Result<()> {
2622 use crate::packet::signature;
2623 use crate::serialize::SerializeInto;
2624 use crate::Packet;
2625 use crate::types::KeyFlags;
2626
2627 let p = &P::new();
2628
2629 #[derive(Debug)]
2630 struct NoRsa;
2631 impl Policy for NoRsa {
2632 fn key(&self, ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2633 -> Result<()>
2634 {
2635 use crate::types::PublicKeyAlgorithm::*;
2636
2637 eprintln!("algo: {} is {}",
2638 ka.key().fingerprint(), ka.key().pk_algo());
2639 if ka.key().pk_algo() == RSAEncryptSign {
2640 Err(anyhow::anyhow!("RSA!"))
2641 } else {
2642 Ok(())
2643 }
2644 }
2645
2646 fn signature(&self, _sig: &Signature, _sec: HashAlgoSecurity) -> Result<()> {
2647 Ok(())
2648 }
2649
2650 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2651 Ok(())
2652 }
2653
2654 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2655 Ok(())
2656 }
2657
2658 fn packet(&self, _packet: &Packet) -> Result<()> {
2659 Ok(())
2660 }
2661 }
2662 let norsa = &NoRsa {};
2663
2664 #[derive(PartialEq, Debug)]
2665 struct VHelper {
2666 good: usize,
2667 errors: usize,
2668 keys: Vec<Cert>,
2669 }
2670
2671 impl VHelper {
2672 fn new(keys: Vec<Cert>) -> Self {
2673 VHelper {
2674 good: 0,
2675 errors: 0,
2676 keys,
2677 }
2678 }
2679 }
2680
2681 impl VerificationHelper for VHelper {
2682 fn get_certs(&mut self, _ids: &[crate::KeyHandle])
2683 -> Result<Vec<Cert>>
2684 {
2685 Ok(self.keys.clone())
2686 }
2687
2688 fn check(&mut self, structure: MessageStructure) -> Result<()>
2689 {
2690 for layer in structure {
2691 match layer {
2692 MessageLayer::SignatureGroup { ref results } =>
2693 for result in results {
2694 match result {
2695 Ok(_) => self.good += 1,
2696 Err(e) => {
2697 eprintln!("{}", e);
2698 self.errors += 1
2699 },
2700 }
2701 }
2702 MessageLayer::Compression { .. } => (),
2703 _ => unreachable!(),
2704 }
2705 }
2706
2707 Ok(())
2708 }
2709 }
2710
2711 impl DecryptionHelper for VHelper {
2712 fn decrypt(&mut self, _: &[PKESK], _: &[SKESK],
2713 _: Option<SymmetricAlgorithm>,
2714 _: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool)
2715 -> Result<Option<Cert>>
2716 {
2717 unreachable!();
2718 }
2719 }
2720
2721 // Sign msg using cert's first subkey, return the signature.
2722 fn sign_and_verify(p: &dyn Policy, cert: &Cert, good: bool) {
2723 eprintln!("Expect verification to be {}",
2724 if good { "good" } else { "bad" });
2725 for (i, k) in cert.keys().enumerate() {
2726 eprintln!(" {}. {}", i, k.key().fingerprint());
2727 }
2728
2729 let msg = b"Hello, World";
2730
2731 // We always use the first subkey.
2732 let key = cert.keys().nth(1).unwrap().key();
2733 let mut keypair = key.clone()
2734 .parts_into_secret().unwrap()
2735 .into_keypair().unwrap();
2736
2737 // Create a signature.
2738 let sig =
2739 signature::SignatureBuilder::new(SignatureType::Binary)
2740 .sign_message(&mut keypair, msg).unwrap();
2741
2742 // Make sure the signature is ok.
2743 sig.verify_message(key, msg).unwrap();
2744
2745 // Turn it into a detached signature.
2746 let sig = Packet::from(sig).to_vec().unwrap();
2747
2748 let h = VHelper::new(vec![ cert.clone() ]);
2749 let mut v = DetachedVerifierBuilder::from_bytes(&sig).unwrap()
2750 .with_policy(p, None, h).unwrap();
2751 v.verify_bytes(msg).unwrap();
2752 assert_eq!(v.helper_ref().good, if good { 1 } else { 0 });
2753 assert_eq!(v.helper_ref().errors, if good { 0 } else { 1 });
2754 }
2755
2756
2757 // A certificate with an ECC primary and an ECC signing
2758 // subkey.
2759 eprintln!("Trying ECC primary, ECC sub:");
2760 let (cert,_) = CertBuilder::new()
2761 .set_cipher_suite(CipherSuite::Cv25519)
2762 .add_subkey(KeyFlags::empty().set_signing(), None,
2763 None)
2764 .generate()?;
2765
2766 assert_eq!(cert.keys().with_policy(p, None).count(), 2);
2767 assert_eq!(cert.keys().with_policy(norsa, None).count(), 2);
2768 assert!(cert.primary_key().with_policy(p, None).is_ok());
2769 assert!(cert.primary_key().with_policy(norsa, None).is_ok());
2770
2771 sign_and_verify(p, &cert, true);
2772 sign_and_verify(norsa, &cert, true);
2773
2774 // A certificate with an RSA primary and an RCC signing
2775 // subkey.
2776 eprintln!("Trying RSA primary, ECC sub:");
2777 let (cert,_) = CertBuilder::new()
2778 .set_cipher_suite(CipherSuite::RSA2k)
2779 .add_subkey(KeyFlags::empty().set_signing(), None,
2780 CipherSuite::Cv25519)
2781 .generate()?;
2782
2783 assert_eq!(cert.keys().with_policy(p, None).count(), 2);
2784 assert_eq!(cert.keys().with_policy(norsa, None).count(), 0);
2785 assert!(cert.primary_key().with_policy(p, None).is_ok());
2786 assert!(cert.primary_key().with_policy(norsa, None).is_err());
2787
2788 sign_and_verify(p, &cert, true);
2789 sign_and_verify(norsa, &cert, false);
2790
2791 // A certificate with an ECC primary and an RSA signing
2792 // subkey.
2793 eprintln!("Trying ECC primary, RSA sub:");
2794 let (cert,_) = CertBuilder::new()
2795 .set_cipher_suite(CipherSuite::Cv25519)
2796 .add_subkey(KeyFlags::empty().set_signing(), None,
2797 CipherSuite::RSA2k)
2798 .generate()?;
2799
2800 assert_eq!(cert.keys().with_policy(p, None).count(), 2);
2801 assert_eq!(cert.keys().with_policy(norsa, None).count(), 1);
2802 assert!(cert.primary_key().with_policy(p, None).is_ok());
2803 assert!(cert.primary_key().with_policy(norsa, None).is_ok());
2804
2805 sign_and_verify(p, &cert, true);
2806 sign_and_verify(norsa, &cert, false);
2807
2808 Ok(())
2809 }
2810
2811 #[test]
2812 fn reject_seip_packet() -> Result<()> {
2813 #[derive(PartialEq, Debug)]
2814 struct Helper {}
2815 impl VerificationHelper for Helper {
2816 fn get_certs(&mut self, _: &[crate::KeyHandle])
2817 -> Result<Vec<Cert>> {
2818 unreachable!()
2819 }
2820
2821 fn check(&mut self, _: MessageStructure) -> Result<()> {
2822 unreachable!()
2823 }
2824 }
2825
2826 impl DecryptionHelper for Helper {
2827 fn decrypt(&mut self, _: &[PKESK], _: &[SKESK],
2828 _: Option<SymmetricAlgorithm>,
2829 _: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool)
2830 -> Result<Option<Cert>>
2831 {
2832 Ok(None)
2833 }
2834 }
2835
2836 let p = &P::new();
2837 let r = DecryptorBuilder::from_bytes(crate::tests::message(
2838 "encrypted-to-testy.pgp"))?
2839 .with_policy(p, crate::frozen_time(), Helper {});
2840 match r {
2841 Ok(_) => panic!(),
2842 Err(e) => assert_match!(Error::MissingSessionKey(_)
2843 = e.downcast().unwrap()),
2844 }
2845
2846 // Reject the SEIP packet.
2847 let p = &mut P::new();
2848 p.reject_packet_tag(Tag::SEIP);
2849 let r = DecryptorBuilder::from_bytes(crate::tests::message(
2850 "encrypted-to-testy.pgp"))?
2851 .with_policy(p, crate::frozen_time(), Helper {});
2852 match r {
2853 Ok(_) => panic!(),
2854 Err(e) => assert_match!(Error::PolicyViolation(_, _)
2855 = e.downcast().unwrap()),
2856 }
2857 Ok(())
2858 }
2859
2860 #[test]
2861 fn reject_cipher() -> Result<()> {
2862 struct Helper {}
2863 impl VerificationHelper for Helper {
2864 fn get_certs(&mut self, _: &[crate::KeyHandle])
2865 -> Result<Vec<Cert>> {
2866 Ok(Default::default())
2867 }
2868
2869 fn check(&mut self, _: MessageStructure) -> Result<()> {
2870 Ok(())
2871 }
2872 }
2873
2874 impl DecryptionHelper for Helper {
2875 fn decrypt(&mut self, pkesks: &[PKESK], _: &[SKESK],
2876 algo: Option<SymmetricAlgorithm>,
2877 decrypt: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool)
2878 -> Result<Option<Cert>>
2879 {
2880 let p = &P::new();
2881 let mut pair = Cert::from_bytes(
2882 crate::tests::key("testy-private.pgp"))?
2883 .keys().with_policy(p, None)
2884 .for_transport_encryption().secret().next().unwrap()
2885 .key().clone().into_keypair()?;
2886 pkesks[0].decrypt(&mut pair, algo)
2887 .map(|(algo, session_key)| decrypt(algo, &session_key));
2888 Ok(None)
2889 }
2890 }
2891
2892 let p = &P::new();
2893 DecryptorBuilder::from_bytes(crate::tests::message(
2894 "encrypted-to-testy-no-compression.pgp"))?
2895 .with_policy(p, crate::frozen_time(), Helper {})?;
2896
2897 // Reject the AES256.
2898 let p = &mut P::new();
2899 p.reject_symmetric_algo(SymmetricAlgorithm::AES256);
2900 let r = DecryptorBuilder::from_bytes(crate::tests::message(
2901 "encrypted-to-testy-no-compression.pgp"))?
2902 .with_policy(p, crate::frozen_time(), Helper {});
2903 match r {
2904 Ok(_) => panic!(),
2905 Err(e) => assert_match!(Error::PolicyViolation(_, _)
2906 = e.downcast().unwrap()),
2907 }
2908 Ok(())
2909 }
2910
2911 #[test]
2912 fn reject_asymmetric_algos() -> Result<()> {
2913 let cert = Cert::from_bytes(crate::tests::key("neal.pgp"))?;
2914 let p = &mut P::new();
2915 let t = crate::frozen_time();
2916
2917 assert_eq!(cert.with_policy(p, t).unwrap().keys().count(), 4);
2918 p.reject_asymmetric_algo(AsymmetricAlgorithm::RSA1024);
2919 assert_eq!(cert.with_policy(p, t).unwrap().keys().count(), 4);
2920 p.reject_asymmetric_algo(AsymmetricAlgorithm::RSA2048);
2921 assert_eq!(cert.with_policy(p, t).unwrap().keys().count(), 1);
2922 Ok(())
2923 }
2924
2925 #[test]
2926 fn reject_all_hashes() -> Result<()> {
2927 let mut p = StandardPolicy::new();
2928
2929 let set_variants = [
2930 HashAlgorithm::MD5,
2931 HashAlgorithm::Unknown(234),
2932 ];
2933 let check_variants = [
2934 HashAlgorithm::SHA512,
2935 HashAlgorithm::Unknown(239),
2936 ];
2937
2938 // Accept a few hashes explicitly.
2939 for v in set_variants.iter().cloned() {
2940 p.accept_hash(v);
2941 assert_eq!(
2942 p.hash_cutoff(
2943 v,
2944 HashAlgoSecurity::SecondPreImageResistance),
2945 ACCEPT.map(Into::into));
2946 assert_eq!(
2947 p.hash_cutoff(
2948 v,
2949 HashAlgoSecurity::CollisionResistance),
2950 ACCEPT.map(Into::into));
2951 }
2952
2953 // Reject all hashes.
2954 p.reject_all_hashes();
2955
2956 for v in set_variants.iter().chain(check_variants.iter()).cloned() {
2957 assert_eq!(
2958 p.hash_cutoff(
2959 v,
2960 HashAlgoSecurity::SecondPreImageResistance),
2961 REJECT.map(Into::into));
2962 assert_eq!(
2963 p.hash_cutoff(
2964 v,
2965 HashAlgoSecurity::CollisionResistance),
2966 REJECT.map(Into::into));
2967 }
2968
2969 Ok(())
2970 }
2971
2972 macro_rules! reject_all_check {
2973 ($reject_all:ident, $accept_one:ident, $cutoff:ident,
2974 $set_variants:expr, $check_variants:expr) => {
2975 #[test]
2976 fn $reject_all() -> Result<()> {
2977 let mut p = StandardPolicy::new();
2978
2979 // Accept a few hashes explicitly.
2980 for v in $set_variants.iter().cloned() {
2981 p.$accept_one(v);
2982 assert_eq!(p.$cutoff(v), ACCEPT.map(Into::into));
2983 }
2984
2985 // Reject all hashes.
2986 p.$reject_all();
2987
2988 for v in $set_variants.iter()
2989 .chain($check_variants.iter()).cloned()
2990 {
2991 assert_eq!(
2992 p.$cutoff(v),
2993 REJECT.map(Into::into));
2994 }
2995 Ok(())
2996 }
2997 }
2998 }
2999
3000 reject_all_check!(reject_all_critical_subpackets,
3001 accept_critical_subpacket,
3002 critical_subpacket_cutoff,
3003 &[ SubpacketTag::TrustSignature,
3004 SubpacketTag::Unknown(252) ],
3005 &[ SubpacketTag::Unknown(253),
3006 SubpacketTag::SignatureCreationTime ]);
3007
3008 reject_all_check!(reject_all_asymmetric_algos,
3009 accept_asymmetric_algo,
3010 asymmetric_algo_cutoff,
3011 &[ AsymmetricAlgorithm::RSA3072,
3012 AsymmetricAlgorithm::Cv25519 ],
3013 &[ AsymmetricAlgorithm::Unknown,
3014 AsymmetricAlgorithm::NistP256 ]);
3015
3016 reject_all_check!(reject_all_symmetric_algos,
3017 accept_symmetric_algo,
3018 symmetric_algo_cutoff,
3019 &[ SymmetricAlgorithm::Unencrypted,
3020 SymmetricAlgorithm::Unknown(252) ],
3021 &[ SymmetricAlgorithm::AES256,
3022 SymmetricAlgorithm::Unknown(230) ]);
3023
3024 reject_all_check!(reject_all_aead_algos,
3025 accept_aead_algo,
3026 aead_algo_cutoff,
3027 &[ AEADAlgorithm::OCB ],
3028 &[ AEADAlgorithm::EAX ]);
3029
3030 #[test]
3031 fn reject_all_packets() -> Result<()> {
3032 let mut p = StandardPolicy::new();
3033
3034 let set_variants = [
3035 (Tag::SEIP, 4),
3036 (Tag::Unknown(252), 17),
3037 ];
3038 let check_variants = [
3039 (Tag::Signature, 4),
3040 (Tag::Unknown(230), 9),
3041 ];
3042
3043 // Accept a few packets explicitly.
3044 for (t, v) in set_variants.iter().cloned() {
3045 p.accept_packet_tag_version(t, v);
3046 assert_eq!(
3047 p.packet_tag_version_cutoff(t, v),
3048 ACCEPT.map(Into::into));
3049 }
3050
3051 // Reject all hashes.
3052 p.reject_all_packet_tags();
3053
3054 for (t, v) in set_variants.iter().chain(check_variants.iter()).cloned() {
3055 assert_eq!(
3056 p.packet_tag_version_cutoff(t, v),
3057 REJECT.map(Into::into));
3058 }
3059
3060 Ok(())
3061 }
3062
3063 #[test]
3064 fn packet_versions() -> Result<()> {
3065 // Accept the version of a packet. Optionally make sure a
3066 // different version is not accepted.
3067 fn accept_and_check(p: &mut StandardPolicy,
3068 tag: Tag,
3069 accept_versions: &[u8],
3070 good_versions: &[u8],
3071 bad_versions: &[u8]) {
3072 for v in accept_versions {
3073 p.accept_packet_tag_version(tag, *v);
3074 assert_eq!(
3075 p.packet_tag_version_cutoff(tag, *v),
3076 ACCEPT.map(Into::into));
3077 }
3078
3079 for v in good_versions.iter() {
3080 assert_eq!(
3081 p.packet_tag_version_cutoff(tag, *v),
3082 ACCEPT.map(Into::into));
3083 }
3084 for v in bad_versions.iter() {
3085 assert_eq!(
3086 p.packet_tag_version_cutoff(tag, *v),
3087 REJECT.map(Into::into));
3088 }
3089 }
3090
3091 use rand::seq::SliceRandom;
3092 let mut rng = rand::thread_rng();
3093
3094 let mut all_versions = (0..=u8::MAX).collect::<Vec<_>>();
3095 all_versions.shuffle(&mut rng);
3096 let all_versions = &all_versions[..];
3097 let mut not_v5 = all_versions.iter()
3098 .filter(|&&v| v != 5)
3099 .cloned()
3100 .collect::<Vec<_>>();
3101 not_v5.shuffle(&mut rng);
3102 let not_v5 = ¬_v5[..];
3103
3104 let p = &mut StandardPolicy::new();
3105 p.reject_all_packet_tags();
3106
3107 // First only use the versioned interfaces.
3108 accept_and_check(p, Tag::Signature, &[3], &[], &[4, 5]);
3109 accept_and_check(p, Tag::Signature, &[4], &[3], &[5]);
3110
3111 // Only use an unversioned policy.
3112 accept_and_check(p, Tag::SEIP,
3113 &[], // set to accept
3114 &[], // good
3115 all_versions, // bad
3116 );
3117 p.accept_packet_tag(Tag::SEIP);
3118 accept_and_check(p, Tag::SEIP,
3119 &[], // set to accept
3120 all_versions, // good
3121 &[], // bad
3122 );
3123
3124 // Set an unversioned policy and then a versioned policy.
3125 accept_and_check(p, Tag::PKESK,
3126 &[], // set to accept
3127 &[], // good
3128 all_versions, // bad
3129 );
3130 p.accept_packet_tag(Tag::PKESK);
3131 accept_and_check(p, Tag::PKESK,
3132 &[], // set to accept
3133 &(0..u8::MAX).collect::<Vec<_>>()[..], // good
3134 &[], // bad
3135 );
3136 p.reject_packet_tag_version(Tag::PKESK, 5);
3137 accept_and_check(p, Tag::PKESK,
3138 &[], // set to accept
3139 not_v5, // good
3140 &[5], // bad
3141 );
3142
3143 // Set a versioned policy and then an unversioned policy.
3144 // Make sure that the versioned policy is cleared by the
3145 // unversioned policy.
3146 accept_and_check(p, Tag::SKESK,
3147 &[], // set to accept
3148 &[], // good
3149 all_versions, // bad
3150 );
3151 p.accept_packet_tag_version(Tag::SKESK, 5);
3152 accept_and_check(p, Tag::SKESK,
3153 &[], // set to accept
3154 &[5], // good
3155 not_v5, // bad
3156 );
3157 p.reject_packet_tag(Tag::SKESK);
3158 // All versions should be bad now...
3159 accept_and_check(p, Tag::SKESK,
3160 &[], // set to accept
3161 &[], // good
3162 all_versions, // bad
3163 );
3164
3165 Ok(())
3166 }
3167}