sequoia_openpgp/policy.rs
1//! A mechanism to specify policy.
2//!
3//! A major goal of the Sequoia OpenPGP crate is to be policy free.
4//! However, many mid-level operations build on low-level primitives.
5//! For instance, finding a certificate's primary User ID means
6//! examining each of its User IDs and their current self-signature.
7//! Some algorithms are considered broken (e.g., MD5) and some are
8//! considered weak (e.g. SHA-1). When dealing with data from an
9//! untrusted source, for instance, callers will often prefer to
10//! ignore signatures that rely on these algorithms even though [RFC
11//! 4880] says that "\[i\]mplementations MUST implement SHA-1." When
12//! trying to decrypt old archives, however, users probably don't want
13//! to ignore keys using MD5, even though [Section 9.5 of RFC 9580]
14//! deprecates MD5.
15//!
16//! Rather than not provide this mid-level functionality, the `Policy`
17//! trait allows callers to specify their preferred policy. This can be
18//! highly customized by providing a custom implementation of the
19//! `Policy` trait, or it can be slightly refined by tweaking the
20//! `StandardPolicy`'s parameters.
21//!
22//! When implementing the `Policy` trait, it is *essential* that the
23//! functions are [pure]. That is, if the same `Policy` is used
24//! to determine whether a given `Signature` is valid, it must always
25//! return the same value.
26//!
27//! [Section 9.5 of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-9.5
28//! [pure]: https://en.wikipedia.org/wiki/Pure_function
29use std::fmt;
30use std::time::{SystemTime, Duration};
31use std::u32;
32
33use anyhow::Context;
34
35use crate::{
36 cert::prelude::*,
37 Error,
38 Packet,
39 packet::{
40 key,
41 Signature,
42 signature::subpacket::{
43 SubpacketTag,
44 SubpacketValue,
45 },
46 Tag,
47 },
48 Result,
49 types,
50 types::{
51 AEADAlgorithm,
52 HashAlgorithm,
53 SignatureType,
54 SymmetricAlgorithm,
55 Timestamp,
56 },
57};
58
59#[macro_use] mod cutofflist;
60use cutofflist::{
61 CutoffList,
62 REJECT,
63 ACCEPT,
64 VersionedCutoffList,
65};
66
67/// A policy for cryptographic operations.
68pub trait Policy : fmt::Debug + Send + Sync {
69 /// Returns an error if the signature violates the policy.
70 ///
71 /// This function performs the last check before the library
72 /// decides that a signature is valid. That is, after the library
73 /// has determined that the signature is well-formed, alive, not
74 /// revoked, etc., it calls this function to allow you to
75 /// implement any additional policy. For instance, you may reject
76 /// signatures that make use of cryptographically insecure
77 /// algorithms like SHA-1.
78 ///
79 /// Note: Whereas it is generally better to reject suspicious
80 /// signatures, one should be more liberal when considering
81 /// revocations: if you reject a revocation certificate, it may
82 /// inadvertently make something else valid!
83 fn signature(&self, _sig: &Signature, _sec: HashAlgoSecurity) -> Result<()> {
84 Err(Error::PolicyViolation(
85 "By default all signatures are rejected.".into(), None).into())
86 }
87
88 /// Returns an error if the key violates the policy.
89 ///
90 /// This function performs one of the last checks before a
91 /// `KeyAmalgamation` or a related data structures is turned into
92 /// a `ValidKeyAmalgamation`, or similar.
93 ///
94 /// Internally, the library always does this before using a key.
95 /// The sole exception is when creating a key using `CertBuilder`.
96 /// In that case, the primary key is not validated before it is
97 /// used to create any binding signatures.
98 ///
99 /// Thus, you can prevent keys that make use of insecure
100 /// algorithms, don't have a sufficiently high security margin
101 /// (e.g., 1024-bit RSA keys), are on a bad list, etc. from being
102 /// used here.
103 ///
104 /// If you implement this function, make sure to consider the Key
105 /// Derivation Function and Key Encapsulation parameters of ECDH
106 /// keys, see [`PublicKey::ECDH`].
107 ///
108 /// [`PublicKey::ECDH`]: crate::crypto::mpi::PublicKey::ECDH
109 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
110 -> Result<()>
111 {
112 Err(Error::PolicyViolation(
113 "By default all keys are rejected.".into(), None).into())
114 }
115
116 /// Returns an error if the symmetric encryption algorithm
117 /// violates the policy.
118 ///
119 /// This function performs the last check before an encryption
120 /// container is decrypted by the streaming decryptor.
121 ///
122 /// With this function, you can prevent the use of insecure
123 /// symmetric encryption algorithms.
124 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
125 Err(Error::PolicyViolation(
126 "By default all symmetric algorithms are rejected.".into(), None).into())
127 }
128
129 /// Returns an error if the AEAD mode violates the policy.
130 ///
131 /// This function performs the last check before an encryption
132 /// container is decrypted by the streaming decryptor.
133 ///
134 /// With this function, you can prevent the use of insecure AEAD
135 /// constructions.
136 ///
137 /// This feature is [experimental](super#experimental-features).
138 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
139 Err(Error::PolicyViolation(
140 "By default all AEAD algorithms are rejected.".into(), None).into())
141 }
142
143 /// Returns an error if the packet violates the policy.
144 ///
145 /// This function performs the last check before a packet is
146 /// considered by the streaming verifier and decryptor.
147 ///
148 /// With this function, you can prevent the use of insecure
149 /// encryption containers, notably the *Symmetrically Encrypted
150 /// Data Packet*.
151 fn packet(&self, _packet: &Packet) -> Result<()> {
152 Err(Error::PolicyViolation(
153 "By default all packets are rejected.".into(), None).into())
154 }
155}
156
157/// Whether the signed data requires a hash algorithm with collision
158/// resistance.
159///
160/// Since the context of a signature is not passed to
161/// `Policy::signature`, it is not possible to determine from that
162/// function whether the signature requires a hash algorithm with
163/// collision resistance. This enum indicates this.
164///
165/// In short, many self signatures only require second pre-image
166/// resistance. This can be used to extend the life of hash
167/// algorithms whose collision resistance has been partially
168/// compromised. Be careful. Read the background and the warning
169/// before accepting the use of weak hash algorithms!
170///
171/// # Warning
172///
173/// Although distinguishing whether signed data requires collision
174/// resistance can be used to permit the continued use of a hash
175/// algorithm in certain situations, once attacks against a hash
176/// algorithm are known, it is imperative to retire the use of the
177/// hash algorithm as soon as it is feasible. Cryptoanalytic attacks
178/// improve quickly, as demonstrated by the attacks on SHA-1.
179///
180/// # Background
181///
182/// Cryptographic hash functions normally have three security
183/// properties:
184///
185/// - Pre-image resistance,
186/// - Second pre-image resistance, and
187/// - Collision resistance.
188///
189/// A hash algorithm has pre-image resistance if given a hash `h`, it
190/// is impractical for an attacker to find a message `m` such that `h
191/// = hash(m)`. In other words, a hash algorithm has pre-image
192/// resistance if it is hard to invert. A hash algorithm has second
193/// pre-image resistance if it is impractical for an attacker to find
194/// a second message with the same hash as the first. That is, given
195/// `m1`, it is hard for an attacker to find an `m2` such that
196/// `hash(m1) = hash(m2)`. And, a hash algorithm has collision
197/// resistance if it is impractical for an attacker to find two
198/// messages with the same hash. That is, it is hard for an attacker
199/// to find an `m1` and an `m2` such that `hash(m1) = hash(m2)`.
200///
201/// In the context of verifying an OpenPGP signature, we don't need a
202/// hash algorithm with pre-image resistance. Pre-image resistance is
203/// only required when the message is a secret, e.g., a password. We
204/// always need a hash algorithm with second pre-image resistance,
205/// because an attacker must not be able to repurpose an arbitrary
206/// signature, i.e., create a collision with respect to a *known*
207/// hash. And, we need collision resistance when a signature is over
208/// data that could have been influenced by an attacker: if an
209/// attacker creates a pair of colliding messages and convinces the
210/// user to sign one of them, then the attacker can copy the signature
211/// to the other message.
212///
213/// Collision resistance implies second pre-image resistance, but not
214/// vice versa. If an attacker can find a second message with the
215/// same hash as some known message, they can also create a collision
216/// by choosing an arbitrary message and using their pre-image attack
217/// to find a colliding message. Thus, a context that requires
218/// collision resistance also requires second pre-image resistance.
219///
220/// Because collision resistance is with respect to two arbitrary
221/// messages, collision resistance is always susceptible to a
222/// [birthday paradox]. This means that the security margin of a hash
223/// algorithm's collision resistance is half of the security margin of
224/// its second pre-image resistance. And, in practice, the collision
225/// resistance of industry standard hash algorithms has been
226/// practically attacked multiple times. In the context of SHA-1,
227/// Wang et al. described how to find collisions in SHA-1 in their
228/// 2005 paper [Finding Collisions in the Full SHA-1]. In 2017,
229/// Stevens et al. published [The First Collision for Full SHA-1],
230/// which demonstrates the first practical attack on SHA-1's collision
231/// resistance, an identical-prefix collision attack. This attack
232/// only gives the attacker limited control over the content of the
233/// collided messages, which limits its applicability. However, in
234/// 2020, Leurent and Peyrin published [SHA-1 is a Shambles], which
235/// demonstrates a practical chosen-prefix collision attack. This
236/// attack gives the attacker complete control over the prefixes of
237/// the collided messages.
238///
239/// [birthday paradox]: https://en.wikipedia.org/wiki/Birthday_attack#Digital_signature_susceptibility
240/// [Finding Collisions in the Full SHA-1]: https://link.springer.com/chapter/10.1007/11535218_2
241/// [The first collision for full SHA-1]: https://shattered.io/
242/// [SHA-1 is a Shambles]: https://sha-mbles.github.io/
243///
244/// A chosen-prefix collision attack works as follows: an attacker
245/// chooses two arbitrary message prefixes, and then searches for
246/// so-called near collision blocks. These near collision blocks
247/// cause the internal state of the hashes to converge and eventually
248/// result in a collision, i.e., an identical hash value. The attack
249/// described in the [SHA-1 is a Shambles] paper requires 8 to 10 near
250/// collision blocks (512 to 640 bytes) to fully synchronize the
251/// internal state.
252///
253/// SHA-1 is a [Merkle-Damgård hash function]. This means that the
254/// hash function processes blocks one after the other, and the
255/// internal state of the hash function at any given point only
256/// depends on earlier blocks in the stream. A consequence of this is
257/// that it is possible to append a common suffix to the collided
258/// messages without any additional computational effort. That is, if
259/// `hash(m1) = hash(m2)`, then it necessarily holds that `hash(m1 ||
260/// suffix) = hash(m2 || suffix)`. This is called a [length extension
261/// attack].
262///
263/// [Merkle-Damgård hash function]: https://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction
264/// [length extension attack]: https://en.wikipedia.org/wiki/Length_extension_attack
265///
266/// Thus, the [SHA-1 is a Shambles] attack solves the following:
267///
268/// ```text
269/// hash(m1 || collision blocks 1 || suffix) = hash(m2 || collision blocks 2 || suffix)
270/// ```
271///
272/// Where `m1`, `m2`, and `suffix` are controlled by the attacker, and
273/// only the collision blocks are controlled by the algorithm.
274///
275/// If an attacker can convince an OpenPGP user to sign a message of
276/// their choosing (some `m1 || collision blocks 1 || suffix`), then
277/// the attacker also has a valid signature from the victim for a
278/// colliding message (some `m2 || collision blocks 2 || suffix`).
279///
280/// The OpenPGP format imposes some additional constraints on the
281/// attacker. Although the attacker may control the message, the
282/// signature is also over a [signature packet], and a trailer.
283/// Specifically, [the following is signed] when signing a document:
284///
285/// ```text
286/// hash(document || sig packet || 0x04 || sig packet len)
287/// ```
288///
289/// and the [following is signed] when signing a binding signature:
290///
291/// ```text
292/// hash(public key || subkey || sig packet || 0x04 || sig packet len)
293/// ```
294///
295/// [signature packet]: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.3
296/// [the following is signed]: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.4
297///
298/// Since the signature packet is chosen by the victim's OpenPGP
299/// implementation, the attacker may be able to predict it, but they
300/// cannot store the collision blocks there. Thus, the signature
301/// packet is necessarily part of the common suffix, and the collision
302/// blocks must occur earlier in the stream.
303///
304/// This restriction on the signature packet means that an attacker
305/// cannot convince the victim to sign a document, and then transfer
306/// that signature to a colliding binding signature. These signatures
307/// necessarily have different [signature packet]s: the value of the
308/// [signature type] field is different. And, as just described, for
309/// this attack, the signature packets must be identical, because they
310/// are part of the common suffix. Finally, the trailer, which
311/// contains the signature packet's length, prevents hiding a
312/// signature in a signature.
313///
314/// [signature type]: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.2.1
315///
316/// Given this, if we know for a given signature type that an attacker
317/// cannot control any of the data that is signed, then that type of
318/// signature does not need collision resistance; it is still
319/// vulnerable to an attack on the hash's second pre-image resistance
320/// (a collision with a specific message), but not one on its
321/// collision resistance (a collision with any message). This is the
322/// case for binding signatures, and direct key signatures. But, it
323/// is not normally the case for documents (the attacker may be able
324/// to control the content of the document), certifications (the
325/// attacker may be able to control the key packet, the User ID
326/// packet, or the User Attribute packet), or certificate revocations
327/// (the attacker may be able to control the key packet).
328///
329/// Certification signatures and revocations signatures can be further
330/// divided into self signatures and third-party signatures. If an
331/// attacker can convince a victim into signing a third-party
332/// signature, as was done in the [SHA-1 is a Shambles], they may be
333/// able to transfer the signature to a colliding self signature. If
334/// we can show that an attacker can't collide a self signature, and a
335/// third-party signature, then we may be able to show that self
336/// signatures don't require collision resistance. The same
337/// consideration holds for revocations and third-party revocations.
338///
339/// We first consider revocations, which are more straightforward.
340/// The attack is the following: an attacker creates a fake
341/// certificate (A), and sets the victim as a designated revoker.
342/// They then ask the victim to revoke their certificate (V). The
343/// attacker than transfers the signature to a colliding self
344/// revocation, which causes the victim's certificate (V) to be
345/// revoked.
346///
347/// A revocation is over a public key packet and a signature packet.
348/// In this scenario, the attacker controls the fake certificate (A)
349/// and thus the public key packet that the victim actually signs.
350/// But the victim's public key packet is determined by their
351/// certificate (V). Thus, the attacker would have to insert the near
352/// collision blocks in the signature packet, which, as we argued
353/// before, is not possible. Thus, it is safe to only use a hash with
354/// pre-image resistance to protect a self-revocation.
355///
356/// We now turn to self signatures. The attack is similar to the
357/// [SHA-1 is a Shambles] attack. An attacker creates a certificate
358/// (A) and convinces the victim to sign it. The attacker can then
359/// transfer the third-party certification to a colliding self
360/// signature for the victim's certificate (V). If successful, this
361/// attack allows the attacker to add a User ID or a User Attribute to
362/// the victim's certificate (V). This can confuse people who use the
363/// victim's certificate. For instance, if the attacker adds the
364/// identity `alice@example.org` to the victim's certificate, and Bob
365/// receives a message signed using the victim's certificate (V), he
366/// may think that Alice signed the message instead of the victim.
367/// Bob won't be tricked if he uses strong authentication, but many
368/// OpenPGP users use weak authentication (e.g., TOFU) or don't
369/// authenticate keys at all.
370///
371/// A certification is over a public key packet, a User ID or User
372/// Attribute packet, and a signature packet. The attacker controls
373/// the fake certificate (A) and therefore the public key packet, and
374/// the User ID or User Attribute packet that the victim signs.
375/// However, to trick the victim, the User ID packet or User Attribute
376/// packet needs to correspond to an identity that the attacker
377/// appears to control. Thus, if the near collision blocks are stored
378/// in the User ID or User Attribute packet of A, they have to be
379/// hidden to avoid making the victim suspicious. This is
380/// straightforward for User Attributes, which are currently images,
381/// and have many places to hide this type of data. However, User IDs
382/// are normally [UTF-8 encoded RFC 2822 mailbox]es, which makes
383/// hiding half a kilobyte of binary data impractical. The attacker
384/// does not control the victim's public key (in V). But, they do
385/// control the malicious User ID or User Attribute that they want to
386/// attack to the victim's certificate (V). But again, the near
387/// collision blocks have to be hidden in order to trick Bob, the
388/// second victim. Thus, the attack has two possibilities: they can
389/// hide the near collision blocks in the fake public key (in A), and
390/// the User ID or User Attribute (added to V); or, they can hide them
391/// in the fake User IDs or User Attributes (in A and the one added to
392/// V).
393///
394/// As evidenced by the [SHA-1 is a Shambles] attack, it is possible
395/// to hide near collision blocks in User Attribute packets. Thus,
396/// this attack can be used to transfer a third-party certification
397/// over a User Attribute to a self signature over a User Attribute.
398/// As such, self signatures over User Attributes need collision
399/// resistance.
400///
401/// The final case to consider is hiding the near collision blocks in
402/// the User ID that the attacker wants to add to the victim's
403/// certificate. Again, it is possible to store the near collision
404/// blocks there. However, there are two mitigating factors. First,
405/// there is no place to hide the blocks. As such, the user must be
406/// convinced to ignore them. Second, a User ID is structure: it
407/// normally contains a [UTF-8 encoded RFC 2822 mailbox]. Thus, if we
408/// only consider valid UTF-8 strings, and limit the maximum size, we
409/// can dramatically increase the workfactor, which can extend the life
410/// of a hash algorithm whose collision resistance has been weakened.
411///
412/// [UTF-8 encoded RFC 2822 mailbox]: https://www.rfc-editor.org/rfc/rfc9580.html#section-5.11
413#[derive(Debug, Clone, Copy, Eq, PartialEq)]
414pub enum HashAlgoSecurity {
415 /// The signed data only requires second pre-image resistance.
416 ///
417 /// If a signature is over data that an attacker cannot influence,
418 /// then the hash function does not need to provide collision
419 /// resistance. This is **only** the case for:
420 ///
421 /// - Subkey binding signatures
422 /// - Primary key binding signatures
423 /// - Self revocations
424 ///
425 /// Due to the structure of User IDs (they are normally short,
426 /// UTF-8 encoded RFC 2822 mailboxes), self signatures over short,
427 /// reasonable User IDs (**not** User Attributes) also don't
428 /// require strong collision resistance. Thus, we also only
429 /// require a signature with second pre-image resistance for:
430 ///
431 /// - Self signatures over reasonable User IDs
432 SecondPreImageResistance,
433 /// The signed data requires collision resistance.
434 ///
435 /// If a signature is over data that an attacker can influence,
436 /// then the hash function must provide collision resistance.
437 /// This is the case for documents, third-party certifications,
438 /// and third-party revocations.
439 ///
440 /// Note: collision resistance implies second pre-image
441 /// resistance. Thus, when evaluating whether a hash algorithm
442 /// has collision resistance, we also check whether it has second
443 /// pre-image resistance.
444 CollisionResistance,
445}
446
447impl Default for HashAlgoSecurity {
448 /// The default is the most conservative policy.
449 fn default() -> Self {
450 HashAlgoSecurity::CollisionResistance
451 }
452}
453
454/// The standard policy.
455///
456/// The standard policy stores when each algorithm in a family of
457/// algorithms is no longer considered safe. Attempts to use an
458/// algorithm after its cutoff time should fail.
459///
460/// A `StandardPolicy` can be configured using Rust. Sometimes it is
461/// useful to configure it via a configuration file. This can be done
462/// using the [`sequoia-policy-config`] crate.
463///
464/// [`sequoia-policy-config`]: https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/
465///
466/// It is recommended to support using a configuration file when the
467/// program should respect the system's crypto policy. This is
468/// required on Fedora, for instance. See the [Fedora Crypto
469/// Policies] project for more information.
470///
471/// [Fedora]: https://gitlab.com/redhat-crypto/fedora-crypto-policies
472///
473/// When validating a signature, we normally want to know whether the
474/// algorithms used are safe *now*. That is, we don't use the
475/// signature's alleged creation time when considering whether an
476/// algorithm is safe, because if an algorithm is discovered to be
477/// compromised at time X, then an attacker could forge a message
478/// after time X with a signature creation time that is prior to X,
479/// which would be incorrectly accepted.
480///
481/// Occasionally, we know that a signature has not been tampered with
482/// since some time in the past. We might know this if the signature
483/// was stored on some tamper-proof medium. In those cases, it is
484/// reasonable to use the time that the signature was saved, since an
485/// attacker could not have taken advantage of any weaknesses found
486/// after that time.
487///
488/// # Examples
489///
490/// A `StandardPolicy` object can be used to build specialized policies.
491/// For example the following policy filters out Persona certifications mimicking
492/// what GnuPG does when calculating the Web of Trust.
493///
494/// ```rust
495/// use sequoia_openpgp as openpgp;
496/// use std::io::{Cursor, Read};
497/// use openpgp::Result;
498/// use openpgp::packet::{Packet, Signature, key::PublicParts};
499/// use openpgp::cert::prelude::*;
500/// use openpgp::parse::Parse;
501/// use openpgp::armor::{Reader, ReaderMode, Kind};
502/// use openpgp::policy::{HashAlgoSecurity, Policy, StandardPolicy};
503/// use openpgp::types::{
504/// SymmetricAlgorithm,
505/// AEADAlgorithm,
506/// SignatureType
507/// };
508///
509/// #[derive(Debug)]
510/// struct RejectPersonaCertificationsPolicy<'a>(StandardPolicy<'a>);
511///
512/// impl Policy for RejectPersonaCertificationsPolicy<'_> {
513/// fn key(&self, ka: &ValidErasedKeyAmalgamation<PublicParts>)
514/// -> Result<()>
515/// {
516/// self.0.key(ka)
517/// }
518///
519/// fn signature(&self, sig: &Signature, sec: HashAlgoSecurity) -> Result<()> {
520/// if sig.typ() == SignatureType::PersonaCertification {
521/// Err(anyhow::anyhow!("Persona certifications are ignored."))
522/// } else {
523/// self.0.signature(sig, sec)
524/// }
525/// }
526///
527/// fn symmetric_algorithm(&self, algo: SymmetricAlgorithm) -> Result<()> {
528/// self.0.symmetric_algorithm(algo)
529/// }
530///
531/// fn aead_algorithm(&self, algo: AEADAlgorithm) -> Result<()> {
532/// self.0.aead_algorithm(algo)
533/// }
534///
535/// fn packet(&self, packet: &Packet) -> Result<()> {
536/// self.0.packet(packet)
537/// }
538/// }
539///
540/// impl RejectPersonaCertificationsPolicy<'_> {
541/// fn new() -> Self {
542/// Self(StandardPolicy::new())
543/// }
544/// }
545///
546/// # fn main() -> Result<()> {
547/// // this key has one persona certification
548/// let data = r#"
549/// -----BEGIN PGP PUBLIC KEY BLOCK-----
550///
551/// mDMEX7JGrxYJKwYBBAHaRw8BAQdASKGcnowaZBDc2Z3rZZlWb6jEjne9sK76afbJ
552/// trd5Uw+0BlRlc3QgMoiQBBMWCAA4FiEEyZ6oBYFia3z+ooCBqR9BqiGp8AQFAl+y
553/// Rq8CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQqR9BqiGp8ASfxwEAvEb0
554/// bFr7ZgFZSDOITNptm+FEynib8mmLACsvHAmCjvIA+gOaSNyxMW6N59q7/j0sDjp1
555/// aYNgpNFLbYBZpkXXVL0GiHUEERYIAB0WIQTE4QfdkkisIbWVOcHmlsuS3dbWEwUC
556/// X7JG4gAKCRDmlsuS3dbWExEwAQCpqfiVMhjDwVFMsMpwd5r0N/8rAx8/nmgpCsK3
557/// M9TUrAD7BhTYVPRbkJqTZYd9DlLtBcbF3yNPTHlB+F2sFjI+cgo=
558/// =ZfYu
559/// -----END PGP PUBLIC KEY BLOCK-----
560/// "#;
561///
562/// let mut cursor = Cursor::new(&data);
563/// let mut reader = Reader::from_reader(&mut cursor, ReaderMode::Tolerant(Some(Kind::PublicKey)));
564///
565/// let mut buf = Vec::new();
566/// reader.read_to_end(&mut buf)?;
567/// let cert = Cert::from_bytes(&buf)?;
568///
569/// let ref sp = StandardPolicy::new();
570/// let u = cert.with_policy(sp, None)?.userids().nth(0).unwrap();
571///
572/// // Under the standard policy the persona certification is visible.
573/// assert_eq!(u.certifications().count(), 1);
574///
575/// // Under our custom policy the persona certification is not available.
576/// let ref p = RejectPersonaCertificationsPolicy::new();
577/// assert_eq!(u.with_policy(p, None)?.certifications().count(), 0);
578/// #
579/// # Ok(())
580/// # }
581/// ```
582#[derive(Clone, Debug)]
583pub struct StandardPolicy<'a> {
584 // The time. If None, the current time is used.
585 time: Option<Timestamp>,
586
587 // Hash algorithms.
588 collision_resistant_hash_algos:
589 CollisionResistantHashCutoffList,
590 second_pre_image_resistant_hash_algos:
591 SecondPreImageResistantHashCutoffList,
592 hash_revocation_tolerance: types::Duration,
593
594 // Critical subpacket tags.
595 critical_subpackets: SubpacketTagCutoffList,
596
597 // Critical notation good-list.
598 good_critical_notations: &'a [&'a str],
599
600 // Packet types.
601 packet_tags: PacketTagCutoffList,
602
603 // Symmetric algorithms.
604 symmetric_algos: SymmetricAlgorithmCutoffList,
605
606 // AEAD algorithms.
607 aead_algos: AEADAlgorithmCutoffList,
608
609 // Asymmetric algorithms.
610 asymmetric_algos: AsymmetricAlgorithmCutoffList,
611}
612
613assert_send_and_sync!(StandardPolicy<'_>);
614
615impl<'a> Default for StandardPolicy<'a> {
616 fn default() -> Self {
617 Self::new()
618 }
619}
620
621impl<'a> From<&'a StandardPolicy<'a>> for Option<&'a dyn Policy> {
622 fn from(p: &'a StandardPolicy<'a>) -> Self {
623 Some(p as &dyn Policy)
624 }
625}
626
627// Signatures that require a hash with collision Resistance and second
628// Pre-image Resistance. See the documentation for HashAlgoSecurity
629// for more details.
630a_cutoff_list!(CollisionResistantHashCutoffList, HashAlgorithm, 15,
631 [
632 REJECT, // 0. Not assigned.
633 Some(Timestamp::Y1997M2), // 1. MD5
634 Some(Timestamp::Y2013M2), // 2. SHA-1
635 Some(Timestamp::Y2013M2), // 3. RIPE-MD/160
636 REJECT, // 4. Reserved.
637 REJECT, // 5. Reserved.
638 REJECT, // 6. Reserved.
639 REJECT, // 7. Reserved.
640 ACCEPT, // 8. SHA256
641 ACCEPT, // 9. SHA384
642 ACCEPT, // 10. SHA512
643 ACCEPT, // 11. SHA224
644 ACCEPT, // 12. SHA3-256
645 REJECT, // 13. Reserved.
646 ACCEPT, // 14. SHA3-512
647 ]);
648// Signatures that *only* require a hash with Second Pre-image
649// Resistance. See the documentation for HashAlgoSecurity for more
650// details.
651a_cutoff_list!(SecondPreImageResistantHashCutoffList, HashAlgorithm, 15,
652 [
653 REJECT, // 0. Not assigned.
654 Some(Timestamp::Y2004M2), // 1. MD5
655 Some(Timestamp::Y2023M2), // 2. SHA-1
656 Some(Timestamp::Y2013M2), // 3. RIPE-MD/160
657 REJECT, // 4. Reserved.
658 REJECT, // 5. Reserved.
659 REJECT, // 6. Reserved.
660 REJECT, // 7. Reserved.
661 ACCEPT, // 8. SHA256
662 ACCEPT, // 9. SHA384
663 ACCEPT, // 10. SHA512
664 ACCEPT, // 11. SHA224
665 ACCEPT, // 12. SHA3-256
666 REJECT, // 13. Reserved.
667 ACCEPT, // 14. SHA3-512
668 ]);
669
670a_cutoff_list!(SubpacketTagCutoffList, SubpacketTag, 40,
671 [
672 REJECT, // 0. Reserved.
673 REJECT, // 1. Reserved.
674 ACCEPT, // 2. SignatureCreationTime.
675 ACCEPT, // 3. SignatureExpirationTime.
676 ACCEPT, // 4. ExportableCertification.
677 ACCEPT, // 5. TrustSignature.
678 ACCEPT, // 6. RegularExpression.
679 // Note: Even though we don't explicitly honor the
680 // Revocable flag, we don't support signature
681 // revocations, hence it is safe to ACCEPT it.
682 ACCEPT, // 7. Revocable.
683 REJECT, // 8. Reserved.
684 ACCEPT, // 9. KeyExpirationTime.
685 REJECT, // 10. PlaceholderForBackwardCompatibility.
686 ACCEPT, // 11. PreferredSymmetricAlgorithms.
687 ACCEPT, // 12. RevocationKey.
688 REJECT, // 13. Reserved.
689 REJECT, // 14. Reserved.
690 REJECT, // 15. Reserved.
691 ACCEPT, // 16. Issuer.
692 REJECT, // 17. Reserved.
693 REJECT, // 18. Reserved.
694 REJECT, // 19. Reserved.
695 ACCEPT, // 20. NotationData.
696 ACCEPT, // 21. PreferredHashAlgorithms.
697 ACCEPT, // 22. PreferredCompressionAlgorithms.
698 ACCEPT, // 23. KeyServerPreferences.
699 ACCEPT, // 24. PreferredKeyServer.
700 ACCEPT, // 25. PrimaryUserID.
701 ACCEPT, // 26. PolicyURI.
702 ACCEPT, // 27. KeyFlags.
703 ACCEPT, // 28. SignersUserID.
704 ACCEPT, // 29. ReasonForRevocation.
705 ACCEPT, // 30. Features.
706 REJECT, // 31. SignatureTarget.
707 ACCEPT, // 32. EmbeddedSignature.
708 ACCEPT, // 33. IssuerFingerprint.
709 REJECT, // 34. Reserved (PreferredAEADAlgorithms).
710 ACCEPT, // 35. IntendedRecipient.
711 REJECT, // 36. Reserved.
712 ACCEPT, // 37. ApprovedCertifications.
713 REJECT, // 38. Reserved.
714 ACCEPT, // 39. PreferredAEADCiphersuites.
715 ]);
716
717a_cutoff_list!(AsymmetricAlgorithmCutoffList, AsymmetricAlgorithm, 23,
718 [
719 Some(Timestamp::Y2014M2), // 0. RSA1024.
720 ACCEPT, // 1. RSA2048.
721 ACCEPT, // 2. RSA3072.
722 ACCEPT, // 3. RSA4096.
723 Some(Timestamp::Y2014M2), // 4. ElGamal1024.
724 Some(Timestamp::Y2025M2), // 5. ElGamal2048.
725 Some(Timestamp::Y2025M2), // 6. ElGamal3072.
726 Some(Timestamp::Y2025M2), // 7. ElGamal4096.
727 Some(Timestamp::Y2014M2), // 8. DSA1024.
728 Some(Timestamp::Y2030M2), // 9. DSA2048.
729 Some(Timestamp::Y2030M2), // 10. DSA3072.
730 Some(Timestamp::Y2030M2), // 11. DSA4096.
731 ACCEPT, // 12. NistP256.
732 ACCEPT, // 13. NistP384.
733 ACCEPT, // 14. NistP521.
734 ACCEPT, // 15. BrainpoolP256.
735 ACCEPT, // 16. BrainpoolP384.
736 ACCEPT, // 17. BrainpoolP512.
737 ACCEPT, // 18. Cv25519.
738 ACCEPT, // 19. X25519.
739 ACCEPT, // 20. X448.
740 ACCEPT, // 21. Ed25519.
741 ACCEPT, // 22. Ed448.
742 ]);
743
744a_cutoff_list!(SymmetricAlgorithmCutoffList, SymmetricAlgorithm, 14,
745 [
746 REJECT, // 0. Unencrypted.
747 Some(Timestamp::Y2025M2), // 1. IDEA.
748 Some(Timestamp::Y2017M2), // 2. TripleDES.
749 Some(Timestamp::Y2025M2), // 3. CAST5.
750 ACCEPT, // 4. Blowfish.
751 REJECT, // 5. Reserved.
752 REJECT, // 6. Reserved.
753 ACCEPT, // 7. AES128.
754 ACCEPT, // 8. AES192.
755 ACCEPT, // 9. AES256.
756 ACCEPT, // 10. Twofish.
757 ACCEPT, // 11. Camellia128.
758 ACCEPT, // 12. Camellia192.
759 ACCEPT, // 13. Camellia256.
760 ]);
761
762a_cutoff_list!(AEADAlgorithmCutoffList, AEADAlgorithm, 4,
763 [
764 REJECT, // 0. Reserved.
765 ACCEPT, // 1. EAX.
766 ACCEPT, // 2. OCB.
767 ACCEPT, // 3. GCM.
768 ]);
769
770a_versioned_cutoff_list!(PacketTagCutoffList, Tag, 22,
771 [
772 REJECT, // 0. Reserved.
773 ACCEPT, // 1. PKESK.
774 ACCEPT, // 2. Signature.
775 ACCEPT, // 3. SKESK.
776 ACCEPT, // 4. OnePassSig.
777 ACCEPT, // 5. SecretKey.
778 ACCEPT, // 6. PublicKey.
779 ACCEPT, // 7. SecretSubkey.
780 ACCEPT, // 8. CompressedData.
781 Some(Timestamp::Y2004M2), // 9. SED.
782 ACCEPT, // 10. Marker.
783 ACCEPT, // 11. Literal.
784 ACCEPT, // 12. Trust.
785 ACCEPT, // 13. UserID.
786 ACCEPT, // 14. PublicSubkey.
787 REJECT, // 15. Not assigned.
788 REJECT, // 16. Not assigned.
789 ACCEPT, // 17. UserAttribute.
790 ACCEPT, // 18. SEIP.
791 ACCEPT, // 19. MDC.
792 REJECT, // 20. "v5" AED.
793 ACCEPT, // 21. Padding.
794 ],
795 // The versioned list overrides the unversioned list. So we only
796 // need to tweak the above.
797 //
798 // Note: this list must be sorted and the tag and version must be unique!
799 2,
800 [
801 (Tag::Signature, 3, Some(Timestamp::Y2021M2)),
802 (Tag::Signature, 5, REJECT), // "v5" Signatures.
803 ]);
804
805// We need to convert a `SystemTime` to a `Timestamp` in
806// `StandardPolicy::reject_hash_at`. Unfortunately, a `SystemTime`
807// can represent a larger range of time than a `Timestamp` can. Since
808// the times passed to this function are cutoff points, and we only
809// compare them to OpenPGP timestamps, any `SystemTime` that is prior
810// to the Unix Epoch is equivalent to the Unix Epoch: it will reject
811// all timestamps. Similarly, any `SystemTime` that is later than the
812// latest time representable by a `Timestamp` is equivalent to
813// accepting all time stamps, which is equivalent to passing None.
814fn system_time_cutoff_to_timestamp(t: SystemTime) -> Option<Timestamp> {
815 let t = t
816 .duration_since(SystemTime::UNIX_EPOCH)
817 // An error can only occur if the SystemTime is less than the
818 // reference time (SystemTime::UNIX_EPOCH). Map that to
819 // SystemTime::UNIX_EPOCH, as above.
820 .unwrap_or_else(|_| Duration::new(0, 0));
821 let t = t.as_secs();
822 if t > u32::MAX as u64 {
823 // Map to None, as above.
824 None
825 } else {
826 Some((t as u32).into())
827 }
828}
829
830impl<'a> StandardPolicy<'a> {
831 /// Instantiates a new `StandardPolicy` with the default parameters.
832 pub const fn new() -> Self {
833 const EMPTY_LIST: &[&str] = &[];
834 Self {
835 time: None,
836 collision_resistant_hash_algos:
837 CollisionResistantHashCutoffList::Default(),
838 second_pre_image_resistant_hash_algos:
839 SecondPreImageResistantHashCutoffList::Default(),
840 // There are 365.2425 days in a year. Use a reasonable
841 // approximation.
842 hash_revocation_tolerance:
843 types::Duration::seconds((7 * 365 + 2) * 24 * 60 * 60),
844 critical_subpackets: SubpacketTagCutoffList::Default(),
845 good_critical_notations: EMPTY_LIST,
846 asymmetric_algos: AsymmetricAlgorithmCutoffList::Default(),
847 symmetric_algos: SymmetricAlgorithmCutoffList::Default(),
848 aead_algos: AEADAlgorithmCutoffList::Default(),
849 packet_tags: PacketTagCutoffList::Default(),
850 }
851 }
852
853 /// Instantiates a new `StandardPolicy` with parameters
854 /// appropriate for `time`.
855 ///
856 /// `time` is a meta-parameter that selects a security profile
857 /// that is appropriate for the given point in time. When
858 /// evaluating an object, the reference time should be set to the
859 /// time that the object was stored to non-tamperable storage.
860 /// Since most applications don't record when they received an
861 /// object, they should conservatively use the current time.
862 ///
863 /// Note that the reference time is a security parameter and is
864 /// different from the time that the object was allegedly created.
865 /// Consider evaluating a signature whose `Signature Creation
866 /// Time` subpacket indicates that it was created in 2007. Since
867 /// the subpacket is under the control of the sender, setting the
868 /// reference time according to the subpacket means that the
869 /// sender chooses the security profile. If the sender were an
870 /// attacker, she could have forged this to take advantage of
871 /// security weaknesses found since 2007. This is why the
872 /// reference time must be set---at the earliest---to the time
873 /// that the message was stored to non-tamperable storage. When
874 /// that is not available, the current time should be used.
875 pub fn at<T>(time: T) -> Self
876 where T: Into<SystemTime>,
877 {
878 let time = time.into();
879 let mut p = Self::new();
880 p.time = Some(system_time_cutoff_to_timestamp(time)
881 // Map "ACCEPT" to the end of time (None
882 // here means the current time).
883 .unwrap_or(Timestamp::MAX));
884 p
885 }
886
887 /// Returns the policy's reference time.
888 ///
889 /// The current time is None.
890 ///
891 /// See [`StandardPolicy::at`] for details.
892 ///
893 /// [`StandardPolicy::at`]: StandardPolicy::at()
894 pub fn time(&self) -> Option<SystemTime> {
895 self.time.map(Into::into)
896 }
897
898 /// Always considers `h` to be secure.
899 ///
900 /// A cryptographic hash algorithm normally has three security
901 /// properties:
902 ///
903 /// - Pre-image resistance,
904 /// - Second pre-image resistance, and
905 /// - Collision resistance.
906 ///
907 /// A hash algorithm should only be unconditionally accepted if it
908 /// has all three of these properties. See the documentation for
909 /// [`HashAlgoSecurity`] for more details.
910 pub fn accept_hash(&mut self, h: HashAlgorithm) {
911 self.accept_hash_property(h, HashAlgoSecurity::CollisionResistance);
912 self.accept_hash_property(h, HashAlgoSecurity::SecondPreImageResistance);
913 }
914
915 /// Considers hash algorithm `h` to be secure for the specified
916 /// security property `sec`.
917 ///
918 /// For instance, an application may choose to allow an algorithm
919 /// like SHA-1 in contexts like User ID binding signatures where
920 /// only [second preimage
921 /// resistance][`HashAlgoSecurity::SecondPreImageResistance`] is
922 /// required but not in contexts like signatures over data where
923 /// [collision
924 /// resistance][`HashAlgoSecurity::CollisionResistance`] is also
925 /// required. Whereas SHA-1's collision resistance is
926 /// [definitively broken](https://shattered.io/), depending on the
927 /// application's threat model, it may be acceptable to continue
928 /// to accept SHA-1 in these specific contexts.
929 pub fn accept_hash_property(&mut self, h: HashAlgorithm, sec: HashAlgoSecurity)
930 {
931 self.reject_hash_property_at(h, sec, None);
932 }
933
934 /// Considers `h` to be insecure in all security contexts.
935 ///
936 /// A cryptographic hash algorithm normally has three security
937 /// properties:
938 ///
939 /// - Pre-image resistance,
940 /// - Second pre-image resistance, and
941 /// - Collision resistance.
942 ///
943 /// This method causes the hash algorithm to be considered unsafe
944 /// in all security contexts.
945 ///
946 /// See the documentation for [`HashAlgoSecurity`] for more
947 /// details.
948 ///
949 ///
950 /// To express a more nuanced policy, use
951 /// [`StandardPolicy::reject_hash_at`] or
952 /// [`StandardPolicy::reject_hash_property_at`].
953 ///
954 /// [`StandardPolicy::reject_hash_at`]: StandardPolicy::reject_hash_at()
955 /// [`StandardPolicy::reject_hash_property_at`]: StandardPolicy::reject_hash_property_at()
956 pub fn reject_hash(&mut self, h: HashAlgorithm) {
957 self.collision_resistant_hash_algos.set(h, REJECT);
958 self.second_pre_image_resistant_hash_algos.set(h, REJECT);
959 }
960
961 /// Considers all hash algorithms to be insecure.
962 ///
963 /// Causes all hash algorithms to be considered insecure in all
964 /// security contexts.
965 ///
966 /// This is useful when using a good list to determine what
967 /// algorithms are allowed.
968 pub fn reject_all_hashes(&mut self) {
969 self.collision_resistant_hash_algos.reject_all();
970 self.second_pre_image_resistant_hash_algos.reject_all();
971 }
972
973 /// Considers `h` to be insecure in all security contexts starting
974 /// at time `t`.
975 ///
976 /// A cryptographic hash algorithm normally has three security
977 /// properties:
978 ///
979 /// - Pre-image resistance,
980 /// - Second pre-image resistance, and
981 /// - Collision resistance.
982 ///
983 /// This method causes the hash algorithm to be considered unsafe
984 /// in all security contexts starting at time `t`.
985 ///
986 /// See the documentation for [`HashAlgoSecurity`] for more
987 /// details.
988 ///
989 ///
990 /// To express a more nuanced policy, use
991 /// [`StandardPolicy::reject_hash_property_at`].
992 ///
993 /// [`StandardPolicy::reject_hash_property_at`]: StandardPolicy::reject_hash_property_at()
994 pub fn reject_hash_at<T>(&mut self, h: HashAlgorithm, t: T)
995 where T: Into<Option<SystemTime>>,
996 {
997 let t = t.into().and_then(system_time_cutoff_to_timestamp);
998 self.collision_resistant_hash_algos.set(h, t);
999 self.second_pre_image_resistant_hash_algos.set(h, t);
1000 }
1001
1002 /// Considers `h` to be insecure starting at `t` for the specified
1003 /// security property.
1004 ///
1005 /// A hash algorithm is considered secure if it has all of the
1006 /// following security properties:
1007 ///
1008 /// - Pre-image resistance,
1009 /// - Second pre-image resistance, and
1010 /// - Collision resistance.
1011 ///
1012 /// Some contexts only require a subset of these security
1013 /// properties. Specifically, if an attacker is unable to
1014 /// influence the data that a user signs, then the hash algorithm
1015 /// only needs second pre-image resistance; it doesn't need
1016 /// collision resistance. See the documentation for
1017 /// [`HashAlgoSecurity`] for more details.
1018 ///
1019 ///
1020 /// This method makes it possible to specify different policies
1021 /// depending on the security requirements.
1022 ///
1023 /// A cutoff of `None` means that there is no cutoff and the
1024 /// algorithm has no known vulnerabilities for the specified
1025 /// security policy.
1026 ///
1027 /// As a rule of thumb, collision resistance is easier to attack
1028 /// than second pre-image resistance. And in practice there are
1029 /// practical attacks against several widely-used hash algorithms'
1030 /// collision resistance, but only theoretical attacks against
1031 /// their second pre-image resistance. Nevertheless, once one
1032 /// property of a hash has been compromised, we want to deprecate
1033 /// its use as soon as it is feasible. Unfortunately, because
1034 /// OpenPGP certificates are long-lived, this can take years.
1035 ///
1036 /// Given this, we start rejecting [MD5] in cases where collision
1037 /// resistance is required in 1997 and completely reject it
1038 /// starting in 2004:
1039 ///
1040 /// > In 1996, Dobbertin announced a collision of the
1041 /// > compression function of MD5 (Dobbertin, 1996). While this
1042 /// > was not an attack on the full MD5 hash function, it was
1043 /// > close enough for cryptographers to recommend switching to
1044 /// > a replacement, such as SHA-1 or RIPEMD-160.
1045 /// >
1046 /// > MD5CRK ended shortly after 17 August 2004, when collisions
1047 /// > for the full MD5 were announced by Xiaoyun Wang, Dengguo
1048 /// > Feng, Xuejia Lai, and Hongbo Yu. Their analytical attack
1049 /// > was reported to take only one hour on an IBM p690 cluster.
1050 /// >
1051 /// > (Accessed Feb. 2020.)
1052 ///
1053 /// [MD5]: https://en.wikipedia.org/wiki/MD5
1054 ///
1055 /// And we start rejecting [SHA-1] in cases where collision
1056 /// resistance is required in 2013, and completely reject it in
1057 /// 2023:
1058 ///
1059 /// > Since 2005 SHA-1 has not been considered secure against
1060 /// > well-funded opponents, as of 2010 many organizations have
1061 /// > recommended its replacement. NIST formally deprecated use
1062 /// > of SHA-1 in 2011 and disallowed its use for digital
1063 /// > signatures in 2013. As of 2020, attacks against SHA-1 are
1064 /// > as practical as against MD5; as such, it is recommended to
1065 /// > remove SHA-1 from products as soon as possible and use
1066 /// > instead SHA-256 or SHA-3. Replacing SHA-1 is urgent where
1067 /// > it's used for signatures.
1068 /// >
1069 /// > (Accessed Feb. 2020.)
1070 ///
1071 /// [SHA-1]: https://en.wikipedia.org/wiki/SHA-1
1072 ///
1073 /// There are two main reasons why we have decided to accept SHA-1
1074 /// for so long. First, as of the end of 2020, there are still a
1075 /// large number of [certificates that rely on SHA-1]. Second,
1076 /// Sequoia uses a variant of SHA-1 called [SHA1CD], which is able
1077 /// to detect and *mitigate* the known attacks on SHA-1's
1078 /// collision resistance.
1079 ///
1080 /// [certificates that rely on SHA-1]: https://gitlab.com/sequoia-pgp/sequoia/-/issues/595
1081 /// [SHA1CD]: https://github.com/cr-marcstevens/sha1collisiondetection
1082 ///
1083 /// Since RIPE-MD is structured similarly to SHA-1, we
1084 /// conservatively consider it to be broken as well. But, because
1085 /// it is not widely used in the OpenPGP ecosystem, we don't make
1086 /// provisions for it.
1087 ///
1088 /// Note: if a context indicates that it requires collision
1089 /// resistance, then it requires both collision resistance and
1090 /// second pre-image resistance, and both policies must indicate
1091 /// that the hash algorithm can be safely used at the specified
1092 /// time.
1093 pub fn reject_hash_property_at<T>(&mut self, h: HashAlgorithm,
1094 sec: HashAlgoSecurity, t: T)
1095 where T: Into<Option<SystemTime>>,
1096 {
1097 let t = t.into().and_then(system_time_cutoff_to_timestamp);
1098 match sec {
1099 HashAlgoSecurity::CollisionResistance =>
1100 self.collision_resistant_hash_algos.set(h, t),
1101 HashAlgoSecurity::SecondPreImageResistance =>
1102 self.second_pre_image_resistant_hash_algos.set(h, t),
1103 }
1104 }
1105
1106 /// Returns the cutoff time for the specified hash algorithm and
1107 /// security policy.
1108 pub fn hash_cutoff(&self, h: HashAlgorithm, sec: HashAlgoSecurity)
1109 -> Option<SystemTime>
1110 {
1111 match sec {
1112 HashAlgoSecurity::CollisionResistance =>
1113 self.collision_resistant_hash_algos.cutoff(h),
1114 HashAlgoSecurity::SecondPreImageResistance =>
1115 self.second_pre_image_resistant_hash_algos.cutoff(h),
1116 }.map(|t| t.into())
1117 }
1118
1119 /// Sets the amount of time to continue to accept revocation
1120 /// certificates after a hash algorithm should be rejected.
1121 ///
1122 /// Using [`StandardPolicy::reject_hash_at`], it is possible to
1123 /// indicate when a hash algorithm's security has been
1124 /// compromised, and, as such, should no longer be accepted.
1125 ///
1126 /// [`StandardPolicy::reject_hash_at`]: StandardPolicy::reject_hash_at()
1127 ///
1128 /// Applying this policy to revocation certificates can have some
1129 /// unfortunate side effects. In particular, if a certificate has
1130 /// been revoked using a revocation certificate that relies on a
1131 /// broken hash algorithm, but the most recent self signature uses
1132 /// a strong acceptable hash algorithm, then rejecting the
1133 /// revocation certificate would mean considering the certificate
1134 /// to not be revoked! This would be a catastrophe if the secret
1135 /// key material were compromised.
1136 ///
1137 /// Unfortunately, this happens in practice. A common example
1138 /// appears to be a certificate that has been updated many times,
1139 /// and is then revoked using a revocation certificate that was
1140 /// generated when the certificate was generated.
1141 ///
1142 /// Since the consequences of allowing an invalid revocation
1143 /// certificate are significantly less severe (a denial of
1144 /// service) than ignoring a valid revocation certificate
1145 /// (compromised confidentiality, integrity, and authentication),
1146 /// this option makes it possible to accept revocations using weak
1147 /// hash algorithms longer than other types of signatures.
1148 ///
1149 /// By default, the standard policy accepts revocation
1150 /// certificates seven years after the hash they are using was
1151 /// initially compromised.
1152 pub fn hash_revocation_tolerance<D>(&mut self, d: D)
1153 where D: Into<types::Duration>
1154 {
1155 self.hash_revocation_tolerance = d.into();
1156 }
1157
1158 /// Sets the amount of time to continue to accept revocation
1159 /// certificates after a hash algorithm should be rejected.
1160 ///
1161 /// See [`StandardPolicy::hash_revocation_tolerance`] for details.
1162 ///
1163 /// [`StandardPolicy::hash_revocation_tolerance`]: StandardPolicy::hash_revocation_tolerance()
1164 pub fn get_hash_revocation_tolerance(&self) -> types::Duration {
1165 self.hash_revocation_tolerance
1166 }
1167
1168 /// Always considers `s` to be secure.
1169 pub fn accept_critical_subpacket(&mut self, s: SubpacketTag) {
1170 self.critical_subpackets.set(s, ACCEPT);
1171 }
1172
1173 /// Always considers `s` to be insecure.
1174 pub fn reject_critical_subpacket(&mut self, s: SubpacketTag) {
1175 self.critical_subpackets.set(s, REJECT);
1176 }
1177
1178 /// Considers all critical subpackets to be insecure.
1179 ///
1180 /// This is useful when using a good list to determine what
1181 /// critical subpackets are allowed.
1182 pub fn reject_all_critical_subpackets(&mut self) {
1183 self.critical_subpackets.reject_all();
1184 }
1185
1186 /// Considers `s` to be insecure starting at `cutoff`.
1187 ///
1188 /// A cutoff of `None` means that there is no cutoff and the
1189 /// subpacket has no known vulnerabilities.
1190 ///
1191 /// By default, we accept all critical subpackets that Sequoia
1192 /// understands and honors.
1193 pub fn reject_critical_subpacket_at<C>(&mut self, s: SubpacketTag,
1194 cutoff: C)
1195 where C: Into<Option<SystemTime>>,
1196 {
1197 self.critical_subpackets.set(
1198 s,
1199 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1200 }
1201
1202 /// Returns the cutoff times for the specified subpacket tag.
1203 pub fn critical_subpacket_cutoff(&self, s: SubpacketTag)
1204 -> Option<SystemTime> {
1205 self.critical_subpackets.cutoff(s).map(|t| t.into())
1206 }
1207
1208 /// Sets the list of accepted critical notations.
1209 ///
1210 /// By default, we reject all critical notations.
1211 pub fn good_critical_notations(&mut self, good_list: &'a [&'a str]) {
1212 self.good_critical_notations = good_list;
1213 }
1214
1215 /// Always considers `s` to be secure.
1216 pub fn accept_asymmetric_algo(&mut self, a: AsymmetricAlgorithm) {
1217 self.asymmetric_algos.set(a, ACCEPT);
1218 }
1219
1220 /// Always considers `s` to be insecure.
1221 pub fn reject_asymmetric_algo(&mut self, a: AsymmetricAlgorithm) {
1222 self.asymmetric_algos.set(a, REJECT);
1223 }
1224
1225 /// Considers all asymmetric algorithms to be insecure.
1226 ///
1227 /// This is useful when using a good list to determine what
1228 /// algorithms are allowed.
1229 pub fn reject_all_asymmetric_algos(&mut self) {
1230 self.asymmetric_algos.reject_all();
1231 }
1232
1233 /// Considers `a` to be insecure starting at `cutoff`.
1234 ///
1235 /// A cutoff of `None` means that there is no cutoff and the
1236 /// algorithm has no known vulnerabilities.
1237 ///
1238 /// By default, we reject the use of asymmetric key sizes lower
1239 /// than 2048 bits starting in 2014 following [NIST Special
1240 /// Publication 800-131A].
1241 ///
1242 /// [NIST Special Publication 800-131A]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf
1243 pub fn reject_asymmetric_algo_at<C>(&mut self, a: AsymmetricAlgorithm,
1244 cutoff: C)
1245 where C: Into<Option<SystemTime>>,
1246 {
1247 self.asymmetric_algos.set(
1248 a,
1249 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1250 }
1251
1252 /// Returns the cutoff times for the specified hash algorithm.
1253 pub fn asymmetric_algo_cutoff(&self, a: AsymmetricAlgorithm)
1254 -> Option<SystemTime> {
1255 self.asymmetric_algos.cutoff(a).map(|t| t.into())
1256 }
1257
1258 /// Always considers `s` to be secure.
1259 pub fn accept_symmetric_algo(&mut self, s: SymmetricAlgorithm) {
1260 self.symmetric_algos.set(s, ACCEPT);
1261 }
1262
1263 /// Always considers `s` to be insecure.
1264 pub fn reject_symmetric_algo(&mut self, s: SymmetricAlgorithm) {
1265 self.symmetric_algos.set(s, REJECT);
1266 }
1267
1268 /// Considers all symmetric algorithms to be insecure.
1269 ///
1270 /// This is useful when using a good list to determine what
1271 /// algorithms are allowed.
1272 pub fn reject_all_symmetric_algos(&mut self) {
1273 self.symmetric_algos.reject_all();
1274 }
1275
1276 /// Considers `s` to be insecure starting at `cutoff`.
1277 ///
1278 /// A cutoff of `None` means that there is no cutoff and the
1279 /// algorithm has no known vulnerabilities.
1280 ///
1281 /// By default, we reject the use of TripleDES (3DES) starting in
1282 /// the year 2017. While 3DES is still a ["MUST implement"]
1283 /// algorithm in RFC4880, released in 2007, there are plenty of
1284 /// other symmetric algorithms defined in RFC4880, and it says
1285 /// AES-128 SHOULD be implemented. Support for other algorithms
1286 /// in OpenPGP implementations is [excellent]. We chose 2017 as
1287 /// the cutoff year because [NIST deprecated 3DES] that year.
1288 ///
1289 /// ["MUST implement"]: https://www.rfc-editor.org/rfc/rfc9580.html#section-9.3
1290 /// [excellent]: https://tests.sequoia-pgp.org/#Symmetric_Encryption_Algorithm_support
1291 /// [NIST deprecated 3DES]: https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA
1292 pub fn reject_symmetric_algo_at<C>(&mut self, s: SymmetricAlgorithm,
1293 cutoff: C)
1294 where C: Into<Option<SystemTime>>,
1295 {
1296 self.symmetric_algos.set(
1297 s,
1298 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1299 }
1300
1301 /// Returns the cutoff times for the specified hash algorithm.
1302 pub fn symmetric_algo_cutoff(&self, s: SymmetricAlgorithm)
1303 -> Option<SystemTime> {
1304 self.symmetric_algos.cutoff(s).map(|t| t.into())
1305 }
1306
1307 /// Always considers `s` to be secure.
1308 ///
1309 /// This feature is [experimental](super#experimental-features).
1310 pub fn accept_aead_algo(&mut self, a: AEADAlgorithm) {
1311 self.aead_algos.set(a, ACCEPT);
1312 }
1313
1314 /// Always considers `s` to be insecure.
1315 ///
1316 /// This feature is [experimental](super#experimental-features).
1317 pub fn reject_aead_algo(&mut self, a: AEADAlgorithm) {
1318 self.aead_algos.set(a, REJECT);
1319 }
1320
1321 /// Considers all AEAD algorithms to be insecure.
1322 ///
1323 /// This is useful when using a good list to determine what
1324 /// algorithms are allowed.
1325 pub fn reject_all_aead_algos(&mut self) {
1326 self.aead_algos.reject_all();
1327 }
1328
1329 /// Considers `a` to be insecure starting at `cutoff`.
1330 ///
1331 /// A cutoff of `None` means that there is no cutoff and the
1332 /// algorithm has no known vulnerabilities.
1333 ///
1334 /// By default, we accept all AEAD modes.
1335 ///
1336 /// This feature is [experimental](super#experimental-features).
1337 pub fn reject_aead_algo_at<C>(&mut self, a: AEADAlgorithm,
1338 cutoff: C)
1339 where C: Into<Option<SystemTime>>,
1340 {
1341 self.aead_algos.set(
1342 a,
1343 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1344 }
1345
1346 /// Returns the cutoff times for the specified hash algorithm.
1347 ///
1348 /// This feature is [experimental](super#experimental-features).
1349 pub fn aead_algo_cutoff(&self, a: AEADAlgorithm)
1350 -> Option<SystemTime> {
1351 self.aead_algos.cutoff(a).map(|t| t.into())
1352 }
1353
1354 /// Always accept the specified version of the packet.
1355 ///
1356 /// If a packet does not have a version field, then its version is
1357 /// `0`.
1358 pub fn accept_packet_tag_version(&mut self, tag: Tag, version: u8) {
1359 self.packet_tags.set_versioned(tag, version, ACCEPT);
1360 }
1361
1362 /// Always accept packets with the given tag independent of their
1363 /// version.
1364 ///
1365 /// If you previously set a cutoff for a specific version of a
1366 /// packet, this overrides that.
1367 pub fn accept_packet_tag(&mut self, tag: Tag) {
1368 self.packet_tags.set_unversioned(tag, ACCEPT);
1369 }
1370
1371 /// Always reject the specified version of the packet.
1372 ///
1373 /// If a packet does not have a version field, then its version is
1374 /// `0`.
1375 pub fn reject_packet_tag_version(&mut self, tag: Tag, version: u8) {
1376 self.packet_tags.set_versioned(tag, version, REJECT);
1377 }
1378
1379 /// Always reject packets with the given tag.
1380 pub fn reject_packet_tag(&mut self, tag: Tag) {
1381 self.packet_tags.set_unversioned(tag, REJECT);
1382 }
1383
1384 /// Considers all packets to be insecure.
1385 ///
1386 /// This is useful when using a good list to determine what
1387 /// packets are allowed.
1388 pub fn reject_all_packet_tags(&mut self) {
1389 self.packet_tags.reject_all();
1390 }
1391
1392 /// Start rejecting the specified version of packets with the
1393 /// given tag at `t`.
1394 ///
1395 /// A cutoff of `None` means that there is no cutoff and the
1396 /// packet has no known vulnerabilities.
1397 ///
1398 /// By default, we consider the *Symmetrically Encrypted Data
1399 /// Packet* (SED) insecure in messages created in the year 2004 or
1400 /// later. The rationale here is that *Symmetrically Encrypted
1401 /// Integrity Protected Data Packet* (SEIP) can be downgraded to
1402 /// SED packets, enabling attacks exploiting the malleability of
1403 /// the CFB stream (see [EFAIL]).
1404 ///
1405 /// [EFAIL]: https://en.wikipedia.org/wiki/EFAIL
1406 ///
1407 /// We chose 2004 as a cutoff-date because [Debian 3.0] (Woody),
1408 /// released on 2002-07-19, was the first release of Debian to
1409 /// ship a version of GnuPG that emitted SEIP packets by default.
1410 /// The first version that emitted SEIP packets was [GnuPG 1.0.3],
1411 /// released on 2000-09-18. Mid 2002 plus an 18 months grace
1412 /// period of people still using older versions is 2004.
1413 ///
1414 /// [Debian 3.0]: https://www.debian.org/News/2002/20020719
1415 /// [GnuPG 1.0.3]: https://lists.gnupg.org/pipermail/gnupg-announce/2000q3/000075.html
1416 pub fn reject_packet_tag_version_at<C>(&mut self, tag: Tag, version: u8,
1417 cutoff: C)
1418 where C: Into<Option<SystemTime>>,
1419 {
1420 self.packet_tags.set_versioned(
1421 tag, version,
1422 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1423 }
1424
1425 /// Start rejecting packets with the given tag at `t`.
1426 ///
1427 /// See the documentation for
1428 /// [`StandardPolicy::reject_packet_tag_version_at`].
1429 pub fn reject_packet_tag_at<C>(&mut self, tag: Tag, cutoff: C)
1430 where C: Into<Option<SystemTime>>,
1431 {
1432 self.packet_tags.set_unversioned(
1433 tag,
1434 cutoff.into().and_then(system_time_cutoff_to_timestamp));
1435 }
1436
1437 /// Returns the cutoff for the specified version of the specified
1438 /// packet tag.
1439 ///
1440 /// This first considers the versioned cutoff list. If there is
1441 /// no entry in the versioned list, it fallsback to the
1442 /// unversioned cutoff list. If there is also no entry there,
1443 /// then it falls back to the default.
1444 pub fn packet_tag_version_cutoff(&self, tag: Tag, version: u8)
1445 -> Option<SystemTime>
1446 {
1447 self.packet_tags.cutoff(tag, version).map(|t| t.into())
1448 }
1449}
1450
1451impl<'a> Policy for StandardPolicy<'a> {
1452 fn signature(&self, sig: &Signature, sec: HashAlgoSecurity) -> Result<()> {
1453 let time = self.time.unwrap_or_else(Timestamp::now);
1454
1455 let rev = matches!(sig.typ(), SignatureType::KeyRevocation
1456 | SignatureType::SubkeyRevocation
1457 | SignatureType::CertificationRevocation);
1458
1459 // Note: collision resistance requires 2nd pre-image resistance.
1460 if sec == HashAlgoSecurity::CollisionResistance {
1461 if rev {
1462 self
1463 .collision_resistant_hash_algos
1464 .check(sig.hash_algo(), time,
1465 Some(self.hash_revocation_tolerance))
1466 .with_context(|| format!(
1467 "Policy rejected revocation signature ({}) requiring \
1468 collision resistance", sig.typ()))?
1469 } else {
1470 self
1471 .collision_resistant_hash_algos
1472 .check(sig.hash_algo(), time, None)
1473 .with_context(|| format!(
1474 "Policy rejected non-revocation signature ({}) requiring \
1475 collision resistance", sig.typ()))?
1476 }
1477 }
1478
1479 if rev {
1480 self
1481 .second_pre_image_resistant_hash_algos
1482 .check(sig.hash_algo(), time,
1483 Some(self.hash_revocation_tolerance))
1484 .with_context(|| format!(
1485 "Policy rejected revocation signature ({}) requiring \
1486 second pre-image resistance", sig.typ()))?
1487 } else {
1488 self
1489 .second_pre_image_resistant_hash_algos
1490 .check(sig.hash_algo(), time, None)
1491 .with_context(|| format!(
1492 "Policy rejected non-revocation signature ({}) requiring \
1493 second pre-image resistance", sig.typ()))?
1494 }
1495
1496 for csp in sig.hashed_area().iter().filter(|sp| sp.critical()) {
1497 self.critical_subpackets.check(csp.tag(), time, None)
1498 .context("Policy rejected critical signature subpacket")?;
1499 if let SubpacketValue::NotationData(n) = csp.value() {
1500 if ! self.good_critical_notations.contains(&n.name()) {
1501 return Err(anyhow::Error::from(
1502 Error::PolicyViolation(
1503 format!("Critical notation {:?}",
1504 n.name()), None))
1505 .context("Policy rejected critical notation"));
1506 }
1507 }
1508 }
1509
1510 Ok(())
1511 }
1512
1513 fn key(&self, ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
1514 -> Result<()>
1515 {
1516 use self::AsymmetricAlgorithm::{*, Unknown};
1517 use crate::types::PublicKeyAlgorithm::{self, *};
1518 use crate::crypto::mpi::PublicKey;
1519
1520 #[allow(deprecated)]
1521 let a = match (ka.key().pk_algo(), ka.key().mpis().bits()) {
1522 // RSA.
1523 (RSAEncryptSign, Some(b))
1524 | (RSAEncrypt, Some(b))
1525 | (RSASign, Some(b)) if b < 2048 => RSA1024,
1526 (RSAEncryptSign, Some(b))
1527 | (RSAEncrypt, Some(b))
1528 | (RSASign, Some(b)) if b < 3072 => RSA2048,
1529 (RSAEncryptSign, Some(b))
1530 | (RSAEncrypt, Some(b))
1531 | (RSASign, Some(b)) if b < 4096 => RSA3072,
1532 (RSAEncryptSign, Some(_))
1533 | (RSAEncrypt, Some(_))
1534 | (RSASign, Some(_)) => RSA4096,
1535 (RSAEncryptSign, None)
1536 | (RSAEncrypt, None)
1537 | (RSASign, None) => unreachable!(),
1538
1539 // ElGamal.
1540 (ElGamalEncryptSign, Some(b))
1541 | (ElGamalEncrypt, Some(b)) if b < 2048 => ElGamal1024,
1542 (ElGamalEncryptSign, Some(b))
1543 | (ElGamalEncrypt, Some(b)) if b < 3072 => ElGamal2048,
1544 (ElGamalEncryptSign, Some(b))
1545 | (ElGamalEncrypt, Some(b)) if b < 4096 => ElGamal3072,
1546 (ElGamalEncryptSign, Some(_))
1547 | (ElGamalEncrypt, Some(_)) => ElGamal4096,
1548 (ElGamalEncryptSign, None)
1549 | (ElGamalEncrypt, None) => unreachable!(),
1550
1551 // DSA.
1552 (DSA, Some(b)) if b < 2048 => DSA1024,
1553 (DSA, Some(b)) if b < 3072 => DSA2048,
1554 (DSA, Some(b)) if b < 4096 => DSA3072,
1555 (DSA, Some(_)) => DSA4096,
1556 (DSA, None) => unreachable!(),
1557
1558 // ECC.
1559 (ECDH, _) | (ECDSA, _) | (EdDSA, _) => {
1560 let curve = match ka.key().mpis() {
1561 PublicKey::EdDSA { curve, .. } => curve,
1562 PublicKey::ECDSA { curve, .. } => curve,
1563 PublicKey::ECDH { curve, .. } => curve,
1564 _ => unreachable!(),
1565 };
1566 use crate::types::Curve;
1567 match curve {
1568 Curve::NistP256 => NistP256,
1569 Curve::NistP384 => NistP384,
1570 Curve::NistP521 => NistP521,
1571 Curve::BrainpoolP256 => BrainpoolP256,
1572 Curve::BrainpoolP384 => BrainpoolP384,
1573 Curve::BrainpoolP512 => BrainpoolP512,
1574 Curve::Ed25519 => Cv25519,
1575 Curve::Cv25519 => Cv25519,
1576 Curve::Unknown(_) => Unknown,
1577 }
1578 },
1579
1580 (PublicKeyAlgorithm::X25519, _) => AsymmetricAlgorithm::X25519,
1581 (PublicKeyAlgorithm::X448, _) => AsymmetricAlgorithm::X448,
1582 (PublicKeyAlgorithm::Ed25519, _) => AsymmetricAlgorithm::Ed25519,
1583 (PublicKeyAlgorithm::Ed448, _) => AsymmetricAlgorithm::Ed448,
1584
1585 _ => Unknown,
1586 };
1587
1588 let time = self.time.unwrap_or_else(Timestamp::now);
1589 self.asymmetric_algos.check(a, time, None)
1590 .context("Policy rejected asymmetric algorithm")?;
1591
1592 // Check ECDH KDF and KEK parameters.
1593 if let PublicKey::ECDH { hash, sym, .. } = ka.key().mpis() {
1594 self.symmetric_algorithm(*sym)
1595 .context("Policy rejected ECDH \
1596 key encapsulation algorithm")?;
1597
1598 // RFC6637 says:
1599 //
1600 // > Refer to Section 13 for the details regarding the
1601 // > choice of the KEK algorithm, which SHOULD be one of
1602 // > three AES algorithms.
1603 //
1604 // Furthermore, GnuPG rejects anything other than AES.
1605 // I checked the SKS dump, and there are no keys out
1606 // there that use a different KEK algorithm.
1607 match sym {
1608 SymmetricAlgorithm::AES128
1609 | SymmetricAlgorithm::AES192
1610 | SymmetricAlgorithm::AES256
1611 => (), // Good.
1612 _ =>
1613 return Err(anyhow::Error::from(
1614 Error::PolicyViolation(sym.to_string(), None))
1615 .context("Policy rejected ECDH \
1616 key encapsulation algorithm")),
1617 }
1618
1619 // For use in a KDF the hash algorithm does not
1620 // necessarily be collision resistant, but this is the
1621 // weakest property that we otherwise care for, so
1622 // (somewhat arbitrarily) use this.
1623 self
1624 .collision_resistant_hash_algos
1625 .check(*hash, time, None)
1626 .context("Policy rejected ECDH \
1627 key derivation hash function")?;
1628 }
1629
1630 Ok(())
1631 }
1632
1633 fn packet(&self, packet: &Packet) -> Result<()> {
1634 let time = self.time.unwrap_or_else(Timestamp::now);
1635 self.packet_tags
1636 .check(
1637 packet.tag(),
1638 packet.version().unwrap_or(0),
1639 time, None)
1640 .context("Policy rejected packet type")
1641 }
1642
1643 fn symmetric_algorithm(&self, algo: SymmetricAlgorithm) -> Result<()> {
1644 let time = self.time.unwrap_or_else(Timestamp::now);
1645 self.symmetric_algos.check(algo, time, None)
1646 .context("Policy rejected symmetric encryption algorithm")
1647 }
1648
1649 fn aead_algorithm(&self, algo: AEADAlgorithm) -> Result<()> {
1650 let time = self.time.unwrap_or_else(Timestamp::now);
1651 self.aead_algos.check(algo, time, None)
1652 .context("Policy rejected authenticated encryption algorithm")
1653 }
1654}
1655
1656/// Asymmetric encryption algorithms.
1657///
1658/// This type is for refining the [`StandardPolicy`] with respect to
1659/// asymmetric algorithms. In contrast to [`PublicKeyAlgorithm`], it
1660/// does not concern itself with the use (encryption or signing), and
1661/// it does include key sizes (if applicable) and elliptic curves.
1662///
1663/// [`PublicKeyAlgorithm`]: crate::types::PublicKeyAlgorithm
1664///
1665/// Key sizes put into are buckets, rounding down to the nearest
1666/// bucket. For example, a 3253-bit RSA key is categorized as
1667/// `RSA3072`.
1668#[non_exhaustive]
1669#[derive(Clone, Debug, PartialEq, Eq, Copy)]
1670pub enum AsymmetricAlgorithm {
1671 /// RSA with key sizes up to 2048-1 bit.
1672 RSA1024,
1673 /// RSA with key sizes up to 3072-1 bit.
1674 RSA2048,
1675 /// RSA with key sizes up to 4096-1 bit.
1676 RSA3072,
1677 /// RSA with key sizes larger or equal to 4096 bit.
1678 RSA4096,
1679 /// ElGamal with key sizes up to 2048-1 bit.
1680 ElGamal1024,
1681 /// ElGamal with key sizes up to 3072-1 bit.
1682 ElGamal2048,
1683 /// ElGamal with key sizes up to 4096-1 bit.
1684 ElGamal3072,
1685 /// ElGamal with key sizes larger or equal to 4096 bit.
1686 ElGamal4096,
1687 /// DSA with key sizes up to 2048-1 bit.
1688 DSA1024,
1689 /// DSA with key sizes up to 3072-1 bit.
1690 DSA2048,
1691 /// DSA with key sizes up to 4096-1 bit.
1692 DSA3072,
1693 /// DSA with key sizes larger or equal to 4096 bit.
1694 DSA4096,
1695 /// NIST curve P-256.
1696 NistP256,
1697 /// NIST curve P-384.
1698 NistP384,
1699 /// NIST curve P-521.
1700 NistP521,
1701 /// brainpoolP256r1.
1702 BrainpoolP256,
1703 /// brainpoolP384r1.
1704 BrainpoolP384,
1705 /// brainpoolP512r1.
1706 BrainpoolP512,
1707 /// D.J. Bernstein's Curve25519.
1708 Cv25519,
1709 /// X25519 (RFC 7748).
1710 X25519,
1711 /// X448 (RFC 7748).
1712 X448,
1713 /// Ed25519 (RFC 8032).
1714 Ed25519,
1715 /// Ed448 (RFC 8032).
1716 Ed448,
1717 /// Unknown algorithm.
1718 Unknown,
1719}
1720assert_send_and_sync!(AsymmetricAlgorithm);
1721
1722const ASYMMETRIC_ALGORITHM_VARIANTS: [AsymmetricAlgorithm; 23] = [
1723 AsymmetricAlgorithm::RSA1024,
1724 AsymmetricAlgorithm::RSA2048,
1725 AsymmetricAlgorithm::RSA3072,
1726 AsymmetricAlgorithm::RSA4096,
1727 AsymmetricAlgorithm::ElGamal1024,
1728 AsymmetricAlgorithm::ElGamal2048,
1729 AsymmetricAlgorithm::ElGamal3072,
1730 AsymmetricAlgorithm::ElGamal4096,
1731 AsymmetricAlgorithm::DSA1024,
1732 AsymmetricAlgorithm::DSA2048,
1733 AsymmetricAlgorithm::DSA3072,
1734 AsymmetricAlgorithm::DSA4096,
1735 AsymmetricAlgorithm::NistP256,
1736 AsymmetricAlgorithm::NistP384,
1737 AsymmetricAlgorithm::NistP521,
1738 AsymmetricAlgorithm::BrainpoolP256,
1739 AsymmetricAlgorithm::BrainpoolP384,
1740 AsymmetricAlgorithm::BrainpoolP512,
1741 AsymmetricAlgorithm::Cv25519,
1742 AsymmetricAlgorithm::X25519,
1743 AsymmetricAlgorithm::X448,
1744 AsymmetricAlgorithm::Ed25519,
1745 AsymmetricAlgorithm::Ed448,
1746];
1747
1748impl AsymmetricAlgorithm {
1749 /// Returns an iterator over all valid variants.
1750 ///
1751 /// Returns an iterator over all known variants. This does not
1752 /// include the [`AsymmetricAlgorithm::Unknown`] variant.
1753 pub fn variants() -> impl Iterator<Item=AsymmetricAlgorithm> {
1754 ASYMMETRIC_ALGORITHM_VARIANTS.iter().cloned()
1755 }
1756}
1757
1758impl std::fmt::Display for AsymmetricAlgorithm {
1759 fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
1760 write!(f, "{:?}", self)
1761 }
1762}
1763
1764impl From<AsymmetricAlgorithm> for u8 {
1765 fn from(a: AsymmetricAlgorithm) -> Self {
1766 use self::AsymmetricAlgorithm::*;
1767 match a {
1768 RSA1024 => 0,
1769 RSA2048 => 1,
1770 RSA3072 => 2,
1771 RSA4096 => 3,
1772 ElGamal1024 => 4,
1773 ElGamal2048 => 5,
1774 ElGamal3072 => 6,
1775 ElGamal4096 => 7,
1776 DSA1024 => 8,
1777 DSA2048 => 9,
1778 DSA3072 => 10,
1779 DSA4096 => 11,
1780 NistP256 => 12,
1781 NistP384 => 13,
1782 NistP521 => 14,
1783 BrainpoolP256 => 15,
1784 BrainpoolP384 => 16,
1785 BrainpoolP512 => 17,
1786 Cv25519 => 18,
1787 X25519 => 19,
1788 X448 => 20,
1789 Ed25519 => 21,
1790 Ed448 => 22,
1791 Unknown => 255,
1792 }
1793 }
1794}
1795
1796/// The Null Policy.
1797///
1798/// Danger, here be dragons.
1799///
1800/// This policy imposes no additional policy, i.e., accepts
1801/// everything. This includes the MD5 hash algorithm, and SED
1802/// packets.
1803///
1804/// The Null policy has a limited set of valid use cases, e.g., packet statistics.
1805/// For other purposes, it is more advisable to use the [`StandardPolicy`] and
1806/// adjust it by selectively allowing items considered insecure by default, e.g.,
1807/// via [`StandardPolicy::accept_hash`] function. If this is still too inflexible
1808/// consider creating a specialized policy based on the [`StandardPolicy`] as
1809/// [the example for `StandardPolicy`] illustrates.
1810///
1811/// [`StandardPolicy::accept_hash`]: StandardPolicy::accept_hash()
1812/// [the example for `StandardPolicy`]: StandardPolicy#examples
1813#[derive(Debug)]
1814pub struct NullPolicy {
1815}
1816
1817assert_send_and_sync!(NullPolicy);
1818
1819impl NullPolicy {
1820 /// Instantiates a new `NullPolicy`.
1821 pub const unsafe fn new() -> Self {
1822 NullPolicy {}
1823 }
1824}
1825
1826impl Policy for NullPolicy {
1827 fn signature(&self, _sig: &Signature, _sec: HashAlgoSecurity) -> Result<()> {
1828 Ok(())
1829 }
1830
1831 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
1832 -> Result<()>
1833 {
1834 Ok(())
1835 }
1836
1837 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
1838 Ok(())
1839 }
1840
1841 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
1842 Ok(())
1843 }
1844
1845 fn packet(&self, _packet: &Packet) -> Result<()> {
1846 Ok(())
1847 }
1848
1849}
1850
1851#[cfg(test)]
1852mod test {
1853 use std::io::Read;
1854 use std::time::Duration;
1855
1856 use super::*;
1857 use crate::Error;
1858 use crate::crypto::SessionKey;
1859 use crate::packet::key::Key4;
1860 use crate::packet::signature;
1861 use crate::packet::{PKESK, SKESK};
1862 use crate::parse::Parse;
1863 use crate::parse::stream::DecryptionHelper;
1864 use crate::parse::stream::DecryptorBuilder;
1865 use crate::parse::stream::DetachedVerifierBuilder;
1866 use crate::parse::stream::MessageLayer;
1867 use crate::parse::stream::MessageStructure;
1868 use crate::parse::stream::VerificationHelper;
1869 use crate::parse::stream::VerifierBuilder;
1870 use crate::policy::StandardPolicy as P;
1871 use crate::types::Curve;
1872 use crate::types::KeyFlags;
1873 use crate::types::SymmetricAlgorithm;
1874
1875 // Test that the constructor is const.
1876 const _A_STANDARD_POLICY: StandardPolicy = StandardPolicy::new();
1877
1878 #[test]
1879 fn binding_signature() {
1880 let p = &P::new();
1881
1882 // A primary and two subkeys.
1883 let (cert, _) = CertBuilder::new()
1884 .add_signing_subkey()
1885 .add_transport_encryption_subkey()
1886 .generate().unwrap();
1887
1888 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
1889
1890 // Reject all direct key signatures.
1891 #[derive(Debug)]
1892 struct NoDirectKeySigs;
1893 impl Policy for NoDirectKeySigs {
1894 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
1895 -> Result<()>
1896 {
1897 use crate::types::SignatureType::*;
1898
1899 match sig.typ() {
1900 DirectKey => Err(anyhow::anyhow!("direct key!")),
1901 _ => Ok(()),
1902 }
1903 }
1904
1905 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
1906 -> Result<()>
1907 {
1908 Ok(())
1909 }
1910
1911 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
1912 Ok(())
1913 }
1914
1915 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
1916 Ok(())
1917 }
1918
1919 fn packet(&self, _packet: &Packet) -> Result<()> {
1920 Ok(())
1921 }
1922 }
1923
1924 let p = &NoDirectKeySigs {};
1925 assert_eq!(cert.keys().with_policy(p, None).count(), 0);
1926
1927 // Reject all subkey signatures.
1928 #[derive(Debug)]
1929 struct NoSubkeySigs;
1930 impl Policy for NoSubkeySigs {
1931 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
1932 -> Result<()>
1933 {
1934 use crate::types::SignatureType::*;
1935
1936 match sig.typ() {
1937 SubkeyBinding => Err(anyhow::anyhow!("subkey signature!")),
1938 _ => Ok(()),
1939 }
1940 }
1941
1942 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
1943 -> Result<()>
1944 {
1945 Ok(())
1946 }
1947
1948 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
1949 Ok(())
1950 }
1951
1952 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
1953 Ok(())
1954 }
1955
1956 fn packet(&self, _packet: &Packet) -> Result<()> {
1957 Ok(())
1958 }
1959 }
1960
1961 let p = &NoSubkeySigs {};
1962 assert_eq!(cert.keys().with_policy(p, None).count(), 1);
1963 }
1964
1965 #[test]
1966 fn revocation() -> Result<()> {
1967 use crate::cert::prelude::*;
1968 use crate::types::SignatureType;
1969 use crate::types::ReasonForRevocation;
1970
1971 let p = &P::new();
1972
1973 // A primary and two subkeys.
1974 let (cert, _) = CertBuilder::new()
1975 .add_userid("Alice")
1976 .add_signing_subkey()
1977 .add_transport_encryption_subkey()
1978 .generate()?;
1979
1980 // Make sure we have all keys and all user ids.
1981 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
1982 assert_eq!(cert.userids().with_policy(p, None).count(), 1);
1983
1984 // Reject all user id signatures.
1985 #[derive(Debug)]
1986 struct NoPositiveCertifications;
1987 impl Policy for NoPositiveCertifications {
1988 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
1989 -> Result<()>
1990 {
1991 use crate::types::SignatureType::*;
1992 match sig.typ() {
1993 PositiveCertification =>
1994 Err(anyhow::anyhow!("positive certification!")),
1995 _ => Ok(()),
1996 }
1997 }
1998
1999 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2000 -> Result<()>
2001 {
2002 Ok(())
2003 }
2004
2005 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2006 Ok(())
2007 }
2008
2009 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2010 Ok(())
2011 }
2012
2013 fn packet(&self, _packet: &Packet) -> Result<()> {
2014 Ok(())
2015 }
2016 }
2017 let p = &NoPositiveCertifications {};
2018 assert_eq!(cert.userids().with_policy(p, None).count(), 0);
2019
2020
2021 // Revoke it.
2022 let mut keypair = cert.primary_key().key().clone()
2023 .parts_into_secret()?.into_keypair()?;
2024 let ca = cert.userids().next().unwrap();
2025
2026 // Generate the revocation for the first and only UserID.
2027 let revocation =
2028 UserIDRevocationBuilder::new()
2029 .set_reason_for_revocation(
2030 ReasonForRevocation::KeyRetired,
2031 b"Left example.org.")?
2032 .build(&mut keypair, &cert, ca.userid(), None)?;
2033 assert_eq!(revocation.typ(), SignatureType::CertificationRevocation);
2034
2035 // Now merge the revocation signature into the Cert.
2036 let cert = cert.insert_packets(revocation.clone())?.0;
2037
2038 // Check that it is revoked.
2039 assert_eq!(cert.userids().with_policy(p, None).revoked(false).count(), 0);
2040
2041 // Reject all user id signatures.
2042 #[derive(Debug)]
2043 struct NoCertificationRevocation;
2044 impl Policy for NoCertificationRevocation {
2045 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2046 -> Result<()>
2047 {
2048 use crate::types::SignatureType::*;
2049 match sig.typ() {
2050 CertificationRevocation =>
2051 Err(anyhow::anyhow!("certification certification!")),
2052 _ => Ok(()),
2053 }
2054 }
2055
2056 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2057 -> Result<()>
2058 {
2059 Ok(())
2060 }
2061
2062 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2063 Ok(())
2064 }
2065
2066 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2067 Ok(())
2068 }
2069
2070 fn packet(&self, _packet: &Packet) -> Result<()> {
2071 Ok(())
2072 }
2073 }
2074 let p = &NoCertificationRevocation {};
2075
2076 // Check that the user id is no longer revoked.
2077 assert_eq!(cert.userids().with_policy(p, None).revoked(false).count(), 1);
2078
2079
2080 // Generate the revocation for the first subkey.
2081 let subkey = cert.keys().subkeys().next().unwrap();
2082 let revocation =
2083 SubkeyRevocationBuilder::new()
2084 .set_reason_for_revocation(
2085 ReasonForRevocation::KeyRetired,
2086 b"Smells funny.").unwrap()
2087 .build(&mut keypair, &cert, subkey.key(), None)?;
2088 assert_eq!(revocation.typ(), SignatureType::SubkeyRevocation);
2089
2090 // Now merge the revocation signature into the Cert.
2091 assert_eq!(cert.keys().with_policy(p, None).revoked(false).count(), 3);
2092 let cert = cert.insert_packets(revocation.clone())?.0;
2093 assert_eq!(cert.keys().with_policy(p, None).revoked(false).count(), 2);
2094
2095 // Reject all subkey revocations.
2096 #[derive(Debug)]
2097 struct NoSubkeyRevocation;
2098 impl Policy for NoSubkeyRevocation {
2099 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2100 -> Result<()>
2101 {
2102 use crate::types::SignatureType::*;
2103 match sig.typ() {
2104 SubkeyRevocation =>
2105 Err(anyhow::anyhow!("subkey revocation!")),
2106 _ => Ok(()),
2107 }
2108 }
2109
2110 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2111 -> Result<()>
2112 {
2113 Ok(())
2114 }
2115
2116 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2117 Ok(())
2118 }
2119
2120 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2121 Ok(())
2122 }
2123
2124 fn packet(&self, _packet: &Packet) -> Result<()> {
2125 Ok(())
2126 }
2127 }
2128 let p = &NoSubkeyRevocation {};
2129
2130 // Check that the key is no longer revoked.
2131 assert_eq!(cert.keys().with_policy(p, None).revoked(false).count(), 3);
2132
2133 Ok(())
2134 }
2135
2136
2137 #[test]
2138 fn binary_signature() -> Result<()> {
2139 #[derive(PartialEq, Debug)]
2140 struct VHelper {
2141 good: usize,
2142 errors: usize,
2143 keys: Vec<Cert>,
2144 }
2145
2146 impl VHelper {
2147 fn new(keys: Vec<Cert>) -> Self {
2148 VHelper {
2149 good: 0,
2150 errors: 0,
2151 keys,
2152 }
2153 }
2154 }
2155
2156 impl VerificationHelper for VHelper {
2157 fn get_certs(&mut self, _ids: &[crate::KeyHandle])
2158 -> Result<Vec<Cert>>
2159 {
2160 Ok(self.keys.clone())
2161 }
2162
2163 fn check(&mut self, structure: MessageStructure) -> Result<()>
2164 {
2165 for layer in structure {
2166 match layer {
2167 MessageLayer::SignatureGroup { ref results } =>
2168 for result in results {
2169 eprintln!("result: {:?}", result);
2170 match result {
2171 Ok(_) => self.good += 1,
2172 Err(_) => self.errors += 1,
2173 }
2174 }
2175 MessageLayer::Compression { .. } => (),
2176 _ => unreachable!(),
2177 }
2178 }
2179
2180 Ok(())
2181 }
2182 }
2183
2184 impl DecryptionHelper for VHelper {
2185 fn decrypt(&mut self, _: &[PKESK], _: &[SKESK],
2186 _: Option<SymmetricAlgorithm>,
2187 _: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool)
2188 -> Result<Option<Cert>>
2189 {
2190 unreachable!();
2191 }
2192 }
2193
2194 // Reject all data (binary) signatures.
2195 #[derive(Debug)]
2196 struct NoBinarySigantures;
2197 impl Policy for NoBinarySigantures {
2198 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2199 -> Result<()>
2200 {
2201 use crate::types::SignatureType::*;
2202 eprintln!("{:?}", sig.typ());
2203 match sig.typ() {
2204 Binary =>
2205 Err(anyhow::anyhow!("binary!")),
2206 _ => Ok(()),
2207 }
2208 }
2209
2210 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2211 -> Result<()>
2212 {
2213 Ok(())
2214 }
2215
2216 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2217 Ok(())
2218 }
2219
2220 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2221 Ok(())
2222 }
2223
2224 fn packet(&self, _packet: &Packet) -> Result<()> {
2225 Ok(())
2226 }
2227 }
2228 let no_binary_signatures = &NoBinarySigantures {};
2229
2230 // Reject all subkey signatures.
2231 #[derive(Debug)]
2232 struct NoSubkeySigs;
2233 impl Policy for NoSubkeySigs {
2234 fn signature(&self, sig: &Signature, _sec: HashAlgoSecurity)
2235 -> Result<()>
2236 {
2237 use crate::types::SignatureType::*;
2238
2239 match sig.typ() {
2240 SubkeyBinding => Err(anyhow::anyhow!("subkey signature!")),
2241 _ => Ok(()),
2242 }
2243 }
2244
2245 fn key(&self, _ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2246 -> Result<()>
2247 {
2248 Ok(())
2249 }
2250
2251 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2252 Ok(())
2253 }
2254
2255 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2256 Ok(())
2257 }
2258
2259 fn packet(&self, _packet: &Packet) -> Result<()> {
2260 Ok(())
2261 }
2262 }
2263 let no_subkey_signatures = &NoSubkeySigs {};
2264
2265 let standard = &P::new();
2266
2267 let keys = [
2268 "neal.pgp",
2269 ].iter()
2270 .map(|f| Cert::from_bytes(crate::tests::key(f)).unwrap())
2271 .collect::<Vec<_>>();
2272 let data = "messages/signed-1.gpg";
2273
2274 let reference = crate::tests::manifesto();
2275
2276
2277
2278 // Test Verifier.
2279
2280 // Standard policy => ok.
2281 let h = VHelper::new(keys.clone());
2282 let mut v = VerifierBuilder::from_bytes(crate::tests::file(data))?
2283 .with_policy(standard, crate::frozen_time(), h)?;
2284 assert!(v.message_processed());
2285 assert_eq!(v.helper_ref().good, 1);
2286 assert_eq!(v.helper_ref().errors, 0);
2287
2288 let mut content = Vec::new();
2289 v.read_to_end(&mut content).unwrap();
2290 assert_eq!(reference.len(), content.len());
2291 assert_eq!(reference, &content[..]);
2292
2293
2294 // Kill the subkey.
2295 let h = VHelper::new(keys.clone());
2296 let mut v = VerifierBuilder::from_bytes(crate::tests::file(data))?
2297 .with_policy(no_subkey_signatures, crate::frozen_time(), h)?;
2298 assert!(v.message_processed());
2299 assert_eq!(v.helper_ref().good, 0);
2300 assert_eq!(v.helper_ref().errors, 1);
2301
2302 let mut content = Vec::new();
2303 v.read_to_end(&mut content).unwrap();
2304 assert_eq!(reference.len(), content.len());
2305 assert_eq!(reference, &content[..]);
2306
2307
2308 // Kill the data signature.
2309 let h = VHelper::new(keys.clone());
2310 let mut v = VerifierBuilder::from_bytes(crate::tests::file(data))?
2311 .with_policy(no_binary_signatures, crate::frozen_time(), h)?;
2312 assert!(v.message_processed());
2313 assert_eq!(v.helper_ref().good, 0);
2314 assert_eq!(v.helper_ref().errors, 1);
2315
2316 let mut content = Vec::new();
2317 v.read_to_end(&mut content).unwrap();
2318 assert_eq!(reference.len(), content.len());
2319 assert_eq!(reference, &content[..]);
2320
2321
2322
2323 // Test Decryptor.
2324
2325 // Standard policy.
2326 let h = VHelper::new(keys.clone());
2327 let mut v = DecryptorBuilder::from_bytes(crate::tests::file(data))?
2328 .with_policy(standard, crate::frozen_time(), h)?;
2329 assert!(v.message_processed());
2330 assert_eq!(v.helper_ref().good, 1);
2331 assert_eq!(v.helper_ref().errors, 0);
2332
2333 let mut content = Vec::new();
2334 v.read_to_end(&mut content).unwrap();
2335 assert_eq!(reference.len(), content.len());
2336 assert_eq!(reference, &content[..]);
2337
2338
2339 // Kill the subkey.
2340 let h = VHelper::new(keys.clone());
2341 let mut v = DecryptorBuilder::from_bytes(crate::tests::file(data))?
2342 .with_policy(no_subkey_signatures, crate::frozen_time(), h)?;
2343 assert!(v.message_processed());
2344 assert_eq!(v.helper_ref().good, 0);
2345 assert_eq!(v.helper_ref().errors, 1);
2346
2347 let mut content = Vec::new();
2348 v.read_to_end(&mut content).unwrap();
2349 assert_eq!(reference.len(), content.len());
2350 assert_eq!(reference, &content[..]);
2351
2352
2353 // Kill the data signature.
2354 let h = VHelper::new(keys.clone());
2355 let mut v = DecryptorBuilder::from_bytes(crate::tests::file(data))?
2356 .with_policy(no_binary_signatures, crate::frozen_time(), h)?;
2357 assert!(v.message_processed());
2358 assert_eq!(v.helper_ref().good, 0);
2359 assert_eq!(v.helper_ref().errors, 1);
2360
2361 let mut content = Vec::new();
2362 v.read_to_end(&mut content).unwrap();
2363 assert_eq!(reference.len(), content.len());
2364 assert_eq!(reference, &content[..]);
2365 Ok(())
2366 }
2367
2368 #[test]
2369 fn hash_algo() -> Result<()> {
2370 use crate::types::RevocationStatus;
2371 use crate::types::ReasonForRevocation;
2372
2373 const SECS_IN_YEAR : u64 = 365 * 24 * 60 * 60;
2374
2375 // A `const fn` is only guaranteed to be evaluated at compile
2376 // time if the result is assigned to a `const` variable. Make
2377 // sure that works.
2378 const DEFAULT : StandardPolicy = StandardPolicy::new();
2379
2380 let (cert, _) = CertBuilder::new()
2381 .add_userid("Alice")
2382 .generate()?;
2383
2384 let algo = cert.primary_key()
2385 .binding_signature(&DEFAULT, None).unwrap().hash_algo();
2386
2387 eprintln!("{:?}", algo);
2388
2389 // Create a revoked version.
2390 let mut keypair = cert.primary_key().key().clone()
2391 .parts_into_secret()?.into_keypair()?;
2392 let rev = cert.revoke(
2393 &mut keypair,
2394 ReasonForRevocation::KeyCompromised,
2395 b"It was the maid :/")?;
2396 let cert_revoked = cert.clone().insert_packets(rev)?.0;
2397
2398 match cert_revoked.revocation_status(&DEFAULT, None) {
2399 RevocationStatus::Revoked(sigs) => {
2400 assert_eq!(sigs.len(), 1);
2401 assert_eq!(sigs[0].hash_algo(), algo);
2402 }
2403 _ => panic!("not revoked"),
2404 }
2405
2406
2407 // Reject the hash algorithm unconditionally.
2408 let mut reject : StandardPolicy = StandardPolicy::new();
2409 reject.reject_hash(algo);
2410 assert!(cert.primary_key()
2411 .binding_signature(&reject, None).is_err());
2412 assert_match!(RevocationStatus::NotAsFarAsWeKnow
2413 = cert_revoked.revocation_status(&reject, None));
2414
2415 // Reject the hash algorithm next year.
2416 let mut reject : StandardPolicy = StandardPolicy::new();
2417 reject.reject_hash_at(
2418 algo,
2419 crate::now().checked_add(Duration::from_secs(SECS_IN_YEAR)));
2420 reject.hash_revocation_tolerance(0);
2421 cert.primary_key().binding_signature(&reject, None)?;
2422 assert_match!(RevocationStatus::Revoked(_)
2423 = cert_revoked.revocation_status(&reject, None));
2424
2425 // Reject the hash algorithm last year.
2426 let mut reject : StandardPolicy = StandardPolicy::new();
2427 reject.reject_hash_at(
2428 algo,
2429 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2430 reject.hash_revocation_tolerance(0);
2431 assert!(cert.primary_key()
2432 .binding_signature(&reject, None).is_err());
2433 assert_match!(RevocationStatus::NotAsFarAsWeKnow
2434 = cert_revoked.revocation_status(&reject, None));
2435
2436 // Reject the hash algorithm for normal signatures last year,
2437 // and revocations next year.
2438 let mut reject : StandardPolicy = StandardPolicy::new();
2439 reject.reject_hash_at(
2440 algo,
2441 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2442 reject.hash_revocation_tolerance(2 * SECS_IN_YEAR as u32);
2443 assert!(cert.primary_key()
2444 .binding_signature(&reject, None).is_err());
2445 assert_match!(RevocationStatus::Revoked(_)
2446 = cert_revoked.revocation_status(&reject, None));
2447
2448 // Accept algo, but reject the algos with id - 1 and id + 1.
2449 let mut reject : StandardPolicy = StandardPolicy::new();
2450 let algo_u8 : u8 = algo.into();
2451 assert!(algo_u8 != 0u8);
2452 reject.reject_hash_at(
2453 (algo_u8 - 1).into(),
2454 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2455 reject.reject_hash_at(
2456 (algo_u8 + 1).into(),
2457 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2458 reject.hash_revocation_tolerance(0);
2459 cert.primary_key().binding_signature(&reject, None)?;
2460 assert_match!(RevocationStatus::Revoked(_)
2461 = cert_revoked.revocation_status(&reject, None));
2462
2463 // Reject the hash algorithm since before the Unix epoch.
2464 // Since the earliest representable time using a Timestamp is
2465 // the Unix epoch, this is equivalent to rejecting everything.
2466 let mut reject : StandardPolicy = StandardPolicy::new();
2467 reject.reject_hash_at(
2468 algo,
2469 crate::now().checked_sub(Duration::from_secs(SECS_IN_YEAR)));
2470 reject.hash_revocation_tolerance(0);
2471 assert!(cert.primary_key()
2472 .binding_signature(&reject, None).is_err());
2473 assert_match!(RevocationStatus::NotAsFarAsWeKnow
2474 = cert_revoked.revocation_status(&reject, None));
2475
2476 // Reject the hash algorithm after the end of time that is
2477 // representable by a Timestamp (2106). This should accept
2478 // everything.
2479 let mut reject : StandardPolicy = StandardPolicy::new();
2480 reject.reject_hash_at(
2481 algo,
2482 SystemTime::UNIX_EPOCH.checked_add(Duration::from_secs(500 * SECS_IN_YEAR)));
2483 reject.hash_revocation_tolerance(0);
2484 cert.primary_key().binding_signature(&reject, None)?;
2485 assert_match!(RevocationStatus::Revoked(_)
2486 = cert_revoked.revocation_status(&reject, None));
2487
2488 Ok(())
2489 }
2490
2491 #[test]
2492 fn key_verify_self_signature() -> Result<()> {
2493 let p = &P::new();
2494
2495 #[derive(Debug)]
2496 struct NoRsa;
2497 impl Policy for NoRsa {
2498 fn key(&self, ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2499 -> Result<()>
2500 {
2501 use crate::types::PublicKeyAlgorithm::*;
2502
2503 eprintln!("algo: {}", ka.key().pk_algo());
2504 if ka.key().pk_algo() == RSAEncryptSign {
2505 Err(anyhow::anyhow!("RSA!"))
2506 } else {
2507 Ok(())
2508 }
2509 }
2510
2511 fn signature(&self, _sig: &Signature, _sec: HashAlgoSecurity) -> Result<()> {
2512 Ok(())
2513 }
2514
2515 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2516 Ok(())
2517 }
2518
2519 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2520 Ok(())
2521 }
2522
2523 fn packet(&self, _packet: &Packet) -> Result<()> {
2524 Ok(())
2525 }
2526 }
2527 let norsa = &NoRsa {};
2528
2529 // Generate a certificate with an RSA primary and two RSA
2530 // subkeys.
2531 let (cert,_) = CertBuilder::new()
2532 .set_cipher_suite(CipherSuite::RSA2k)
2533 .add_signing_subkey()
2534 .add_signing_subkey()
2535 .generate()?;
2536 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2537 assert_eq!(cert.keys().with_policy(norsa, None).count(), 0);
2538 assert!(cert.primary_key().with_policy(p, None).is_ok());
2539 assert!(cert.primary_key().with_policy(norsa, None).is_err());
2540
2541 // Generate a certificate with an ECC primary, an ECC subkey,
2542 // and an RSA subkey.
2543 let (cert,_) = CertBuilder::new()
2544 .set_cipher_suite(CipherSuite::Cv25519)
2545 .add_signing_subkey()
2546 .generate()?;
2547
2548 let pk = cert.primary_key().key().parts_as_secret()?;
2549 let subkey: key::SecretSubkey
2550 = Key4::generate_rsa(2048)?.into();
2551 let binding = signature::SignatureBuilder::new(SignatureType::SubkeyBinding)
2552 .set_key_flags(KeyFlags::empty().set_transport_encryption())?
2553 .sign_subkey_binding(&mut pk.clone().into_keypair()?,
2554 pk.parts_as_public(), &subkey)?;
2555
2556 let cert = cert.insert_packets(
2557 vec![ Packet::from(subkey), binding.into() ])?.0;
2558
2559 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2560 assert_eq!(cert.keys().with_policy(norsa, None).count(), 2);
2561 assert!(cert.primary_key().with_policy(p, None).is_ok());
2562 assert!(cert.primary_key().with_policy(norsa, None).is_ok());
2563
2564 // Generate a certificate with an RSA primary, an RSA subkey,
2565 // and an ECC subkey.
2566 let (cert,_) = CertBuilder::new()
2567 .set_cipher_suite(CipherSuite::RSA2k)
2568 .add_signing_subkey()
2569 .generate()?;
2570
2571 let pk = cert.primary_key().key().parts_as_secret()?;
2572 let subkey: key::SecretSubkey
2573 = key::Key6::generate_ecc(true, Curve::Ed25519)?.into();
2574 let binding = signature::SignatureBuilder::new(SignatureType::SubkeyBinding)
2575 .set_key_flags(KeyFlags::empty().set_transport_encryption())?
2576 .sign_subkey_binding(&mut pk.clone().into_keypair()?,
2577 pk.parts_as_public(), &subkey)?;
2578
2579 let cert = cert.insert_packets(
2580 vec![ Packet::from(subkey), binding.into() ])?.0;
2581
2582 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2583 assert_eq!(cert.keys().with_policy(norsa, None).count(), 0);
2584 assert!(cert.primary_key().with_policy(p, None).is_ok());
2585 assert!(cert.primary_key().with_policy(norsa, None).is_err());
2586
2587 // Generate a certificate with an ECC primary and two ECC
2588 // subkeys.
2589 let (cert,_) = CertBuilder::new()
2590 .set_cipher_suite(CipherSuite::Cv25519)
2591 .add_signing_subkey()
2592 .add_signing_subkey()
2593 .generate()?;
2594 assert_eq!(cert.keys().with_policy(p, None).count(), 3);
2595 assert_eq!(cert.keys().with_policy(norsa, None).count(), 3);
2596 assert!(cert.primary_key().with_policy(p, None).is_ok());
2597 assert!(cert.primary_key().with_policy(norsa, None).is_ok());
2598
2599 Ok(())
2600 }
2601
2602 #[test]
2603 fn key_verify_binary_signature() -> Result<()> {
2604 use crate::packet::signature;
2605 use crate::serialize::SerializeInto;
2606 use crate::Packet;
2607 use crate::types::KeyFlags;
2608
2609 let p = &P::new();
2610
2611 #[derive(Debug)]
2612 struct NoRsa;
2613 impl Policy for NoRsa {
2614 fn key(&self, ka: &ValidErasedKeyAmalgamation<key::PublicParts>)
2615 -> Result<()>
2616 {
2617 use crate::types::PublicKeyAlgorithm::*;
2618
2619 eprintln!("algo: {} is {}",
2620 ka.key().fingerprint(), ka.key().pk_algo());
2621 if ka.key().pk_algo() == RSAEncryptSign {
2622 Err(anyhow::anyhow!("RSA!"))
2623 } else {
2624 Ok(())
2625 }
2626 }
2627
2628 fn signature(&self, _sig: &Signature, _sec: HashAlgoSecurity) -> Result<()> {
2629 Ok(())
2630 }
2631
2632 fn symmetric_algorithm(&self, _algo: SymmetricAlgorithm) -> Result<()> {
2633 Ok(())
2634 }
2635
2636 fn aead_algorithm(&self, _algo: AEADAlgorithm) -> Result<()> {
2637 Ok(())
2638 }
2639
2640 fn packet(&self, _packet: &Packet) -> Result<()> {
2641 Ok(())
2642 }
2643 }
2644 let norsa = &NoRsa {};
2645
2646 #[derive(PartialEq, Debug)]
2647 struct VHelper {
2648 good: usize,
2649 errors: usize,
2650 keys: Vec<Cert>,
2651 }
2652
2653 impl VHelper {
2654 fn new(keys: Vec<Cert>) -> Self {
2655 VHelper {
2656 good: 0,
2657 errors: 0,
2658 keys,
2659 }
2660 }
2661 }
2662
2663 impl VerificationHelper for VHelper {
2664 fn get_certs(&mut self, _ids: &[crate::KeyHandle])
2665 -> Result<Vec<Cert>>
2666 {
2667 Ok(self.keys.clone())
2668 }
2669
2670 fn check(&mut self, structure: MessageStructure) -> Result<()>
2671 {
2672 for layer in structure {
2673 match layer {
2674 MessageLayer::SignatureGroup { ref results } =>
2675 for result in results {
2676 match result {
2677 Ok(_) => self.good += 1,
2678 Err(e) => {
2679 eprintln!("{}", e);
2680 self.errors += 1
2681 },
2682 }
2683 }
2684 MessageLayer::Compression { .. } => (),
2685 _ => unreachable!(),
2686 }
2687 }
2688
2689 Ok(())
2690 }
2691 }
2692
2693 impl DecryptionHelper for VHelper {
2694 fn decrypt(&mut self, _: &[PKESK], _: &[SKESK],
2695 _: Option<SymmetricAlgorithm>,
2696 _: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool)
2697 -> Result<Option<Cert>>
2698 {
2699 unreachable!();
2700 }
2701 }
2702
2703 // Sign msg using cert's first subkey, return the signature.
2704 fn sign_and_verify(p: &dyn Policy, cert: &Cert, good: bool) {
2705 eprintln!("Expect verification to be {}",
2706 if good { "good" } else { "bad" });
2707 for (i, k) in cert.keys().enumerate() {
2708 eprintln!(" {}. {}", i, k.key().fingerprint());
2709 }
2710
2711 let msg = b"Hello, World";
2712
2713 // We always use the first subkey.
2714 let key = cert.keys().nth(1).unwrap().key();
2715 let mut keypair = key.clone()
2716 .parts_into_secret().unwrap()
2717 .into_keypair().unwrap();
2718
2719 // Create a signature.
2720 let sig =
2721 signature::SignatureBuilder::new(SignatureType::Binary)
2722 .sign_message(&mut keypair, msg).unwrap();
2723
2724 // Make sure the signature is ok.
2725 sig.verify_message(key, msg).unwrap();
2726
2727 // Turn it into a detached signature.
2728 let sig = Packet::from(sig).to_vec().unwrap();
2729
2730 let h = VHelper::new(vec![ cert.clone() ]);
2731 let mut v = DetachedVerifierBuilder::from_bytes(&sig).unwrap()
2732 .with_policy(p, None, h).unwrap();
2733 v.verify_bytes(msg).unwrap();
2734 assert_eq!(v.helper_ref().good, if good { 1 } else { 0 });
2735 assert_eq!(v.helper_ref().errors, if good { 0 } else { 1 });
2736 }
2737
2738
2739 // A certificate with an ECC primary and an ECC signing
2740 // subkey.
2741 eprintln!("Trying ECC primary, ECC sub:");
2742 let (cert,_) = CertBuilder::new()
2743 .set_cipher_suite(CipherSuite::Cv25519)
2744 .add_subkey(KeyFlags::empty().set_signing(), None,
2745 None)
2746 .generate()?;
2747
2748 assert_eq!(cert.keys().with_policy(p, None).count(), 2);
2749 assert_eq!(cert.keys().with_policy(norsa, None).count(), 2);
2750 assert!(cert.primary_key().with_policy(p, None).is_ok());
2751 assert!(cert.primary_key().with_policy(norsa, None).is_ok());
2752
2753 sign_and_verify(p, &cert, true);
2754 sign_and_verify(norsa, &cert, true);
2755
2756 // A certificate with an RSA primary and an RCC signing
2757 // subkey.
2758 eprintln!("Trying RSA primary, ECC sub:");
2759 let (cert,_) = CertBuilder::new()
2760 .set_cipher_suite(CipherSuite::RSA2k)
2761 .add_subkey(KeyFlags::empty().set_signing(), None,
2762 CipherSuite::Cv25519)
2763 .generate()?;
2764
2765 assert_eq!(cert.keys().with_policy(p, None).count(), 2);
2766 assert_eq!(cert.keys().with_policy(norsa, None).count(), 0);
2767 assert!(cert.primary_key().with_policy(p, None).is_ok());
2768 assert!(cert.primary_key().with_policy(norsa, None).is_err());
2769
2770 sign_and_verify(p, &cert, true);
2771 sign_and_verify(norsa, &cert, false);
2772
2773 // A certificate with an ECC primary and an RSA signing
2774 // subkey.
2775 eprintln!("Trying ECC primary, RSA sub:");
2776 let (cert,_) = CertBuilder::new()
2777 .set_cipher_suite(CipherSuite::Cv25519)
2778 .add_subkey(KeyFlags::empty().set_signing(), None,
2779 CipherSuite::RSA2k)
2780 .generate()?;
2781
2782 assert_eq!(cert.keys().with_policy(p, None).count(), 2);
2783 assert_eq!(cert.keys().with_policy(norsa, None).count(), 1);
2784 assert!(cert.primary_key().with_policy(p, None).is_ok());
2785 assert!(cert.primary_key().with_policy(norsa, None).is_ok());
2786
2787 sign_and_verify(p, &cert, true);
2788 sign_and_verify(norsa, &cert, false);
2789
2790 Ok(())
2791 }
2792
2793 #[test]
2794 fn reject_seip_packet() -> Result<()> {
2795 #[derive(PartialEq, Debug)]
2796 struct Helper {}
2797 impl VerificationHelper for Helper {
2798 fn get_certs(&mut self, _: &[crate::KeyHandle])
2799 -> Result<Vec<Cert>> {
2800 unreachable!()
2801 }
2802
2803 fn check(&mut self, _: MessageStructure) -> Result<()> {
2804 unreachable!()
2805 }
2806 }
2807
2808 impl DecryptionHelper for Helper {
2809 fn decrypt(&mut self, _: &[PKESK], _: &[SKESK],
2810 _: Option<SymmetricAlgorithm>,
2811 _: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool)
2812 -> Result<Option<Cert>>
2813 {
2814 Ok(None)
2815 }
2816 }
2817
2818 let p = &P::new();
2819 let r = DecryptorBuilder::from_bytes(crate::tests::message(
2820 "encrypted-to-testy.gpg"))?
2821 .with_policy(p, crate::frozen_time(), Helper {});
2822 match r {
2823 Ok(_) => panic!(),
2824 Err(e) => assert_match!(Error::MissingSessionKey(_)
2825 = e.downcast().unwrap()),
2826 }
2827
2828 // Reject the SEIP packet.
2829 let p = &mut P::new();
2830 p.reject_packet_tag(Tag::SEIP);
2831 let r = DecryptorBuilder::from_bytes(crate::tests::message(
2832 "encrypted-to-testy.gpg"))?
2833 .with_policy(p, crate::frozen_time(), Helper {});
2834 match r {
2835 Ok(_) => panic!(),
2836 Err(e) => assert_match!(Error::PolicyViolation(_, _)
2837 = e.downcast().unwrap()),
2838 }
2839 Ok(())
2840 }
2841
2842 #[test]
2843 fn reject_cipher() -> Result<()> {
2844 struct Helper {}
2845 impl VerificationHelper for Helper {
2846 fn get_certs(&mut self, _: &[crate::KeyHandle])
2847 -> Result<Vec<Cert>> {
2848 Ok(Default::default())
2849 }
2850
2851 fn check(&mut self, _: MessageStructure) -> Result<()> {
2852 Ok(())
2853 }
2854 }
2855
2856 impl DecryptionHelper for Helper {
2857 fn decrypt(&mut self, pkesks: &[PKESK], _: &[SKESK],
2858 algo: Option<SymmetricAlgorithm>,
2859 decrypt: &mut dyn FnMut(Option<SymmetricAlgorithm>, &SessionKey) -> bool)
2860 -> Result<Option<Cert>>
2861 {
2862 let p = &P::new();
2863 let mut pair = Cert::from_bytes(
2864 crate::tests::key("testy-private.pgp"))?
2865 .keys().with_policy(p, None)
2866 .for_transport_encryption().secret().next().unwrap()
2867 .key().clone().into_keypair()?;
2868 pkesks[0].decrypt(&mut pair, algo)
2869 .map(|(algo, session_key)| decrypt(algo, &session_key));
2870 Ok(None)
2871 }
2872 }
2873
2874 let p = &P::new();
2875 DecryptorBuilder::from_bytes(crate::tests::message(
2876 "encrypted-to-testy-no-compression.gpg"))?
2877 .with_policy(p, crate::frozen_time(), Helper {})?;
2878
2879 // Reject the AES256.
2880 let p = &mut P::new();
2881 p.reject_symmetric_algo(SymmetricAlgorithm::AES256);
2882 let r = DecryptorBuilder::from_bytes(crate::tests::message(
2883 "encrypted-to-testy-no-compression.gpg"))?
2884 .with_policy(p, crate::frozen_time(), Helper {});
2885 match r {
2886 Ok(_) => panic!(),
2887 Err(e) => assert_match!(Error::PolicyViolation(_, _)
2888 = e.downcast().unwrap()),
2889 }
2890 Ok(())
2891 }
2892
2893 #[test]
2894 fn reject_asymmetric_algos() -> Result<()> {
2895 let cert = Cert::from_bytes(crate::tests::key("neal.pgp"))?;
2896 let p = &mut P::new();
2897 let t = crate::frozen_time();
2898
2899 assert_eq!(cert.with_policy(p, t).unwrap().keys().count(), 4);
2900 p.reject_asymmetric_algo(AsymmetricAlgorithm::RSA1024);
2901 assert_eq!(cert.with_policy(p, t).unwrap().keys().count(), 4);
2902 p.reject_asymmetric_algo(AsymmetricAlgorithm::RSA2048);
2903 assert_eq!(cert.with_policy(p, t).unwrap().keys().count(), 1);
2904 Ok(())
2905 }
2906
2907 #[test]
2908 fn reject_all_hashes() -> Result<()> {
2909 let mut p = StandardPolicy::new();
2910
2911 let set_variants = [
2912 HashAlgorithm::MD5,
2913 HashAlgorithm::Unknown(234),
2914 ];
2915 let check_variants = [
2916 HashAlgorithm::SHA512,
2917 HashAlgorithm::Unknown(239),
2918 ];
2919
2920 // Accept a few hashes explicitly.
2921 for v in set_variants.iter().cloned() {
2922 p.accept_hash(v);
2923 assert_eq!(
2924 p.hash_cutoff(
2925 v,
2926 HashAlgoSecurity::SecondPreImageResistance),
2927 ACCEPT.map(Into::into));
2928 assert_eq!(
2929 p.hash_cutoff(
2930 v,
2931 HashAlgoSecurity::CollisionResistance),
2932 ACCEPT.map(Into::into));
2933 }
2934
2935 // Reject all hashes.
2936 p.reject_all_hashes();
2937
2938 for v in set_variants.iter().chain(check_variants.iter()).cloned() {
2939 assert_eq!(
2940 p.hash_cutoff(
2941 v,
2942 HashAlgoSecurity::SecondPreImageResistance),
2943 REJECT.map(Into::into));
2944 assert_eq!(
2945 p.hash_cutoff(
2946 v,
2947 HashAlgoSecurity::CollisionResistance),
2948 REJECT.map(Into::into));
2949 }
2950
2951 Ok(())
2952 }
2953
2954 macro_rules! reject_all_check {
2955 ($reject_all:ident, $accept_one:ident, $cutoff:ident,
2956 $set_variants:expr, $check_variants:expr) => {
2957 #[test]
2958 fn $reject_all() -> Result<()> {
2959 let mut p = StandardPolicy::new();
2960
2961 // Accept a few hashes explicitly.
2962 for v in $set_variants.iter().cloned() {
2963 p.$accept_one(v);
2964 assert_eq!(p.$cutoff(v), ACCEPT.map(Into::into));
2965 }
2966
2967 // Reject all hashes.
2968 p.$reject_all();
2969
2970 for v in $set_variants.iter()
2971 .chain($check_variants.iter()).cloned()
2972 {
2973 assert_eq!(
2974 p.$cutoff(v),
2975 REJECT.map(Into::into));
2976 }
2977 Ok(())
2978 }
2979 }
2980 }
2981
2982 reject_all_check!(reject_all_critical_subpackets,
2983 accept_critical_subpacket,
2984 critical_subpacket_cutoff,
2985 &[ SubpacketTag::TrustSignature,
2986 SubpacketTag::Unknown(252) ],
2987 &[ SubpacketTag::Unknown(253),
2988 SubpacketTag::SignatureCreationTime ]);
2989
2990 reject_all_check!(reject_all_asymmetric_algos,
2991 accept_asymmetric_algo,
2992 asymmetric_algo_cutoff,
2993 &[ AsymmetricAlgorithm::RSA3072,
2994 AsymmetricAlgorithm::Cv25519 ],
2995 &[ AsymmetricAlgorithm::Unknown,
2996 AsymmetricAlgorithm::NistP256 ]);
2997
2998 reject_all_check!(reject_all_symmetric_algos,
2999 accept_symmetric_algo,
3000 symmetric_algo_cutoff,
3001 &[ SymmetricAlgorithm::Unencrypted,
3002 SymmetricAlgorithm::Unknown(252) ],
3003 &[ SymmetricAlgorithm::AES256,
3004 SymmetricAlgorithm::Unknown(230) ]);
3005
3006 reject_all_check!(reject_all_aead_algos,
3007 accept_aead_algo,
3008 aead_algo_cutoff,
3009 &[ AEADAlgorithm::OCB ],
3010 &[ AEADAlgorithm::EAX ]);
3011
3012 #[test]
3013 fn reject_all_packets() -> Result<()> {
3014 let mut p = StandardPolicy::new();
3015
3016 let set_variants = [
3017 (Tag::SEIP, 4),
3018 (Tag::Unknown(252), 17),
3019 ];
3020 let check_variants = [
3021 (Tag::Signature, 4),
3022 (Tag::Unknown(230), 9),
3023 ];
3024
3025 // Accept a few packets explicitly.
3026 for (t, v) in set_variants.iter().cloned() {
3027 p.accept_packet_tag_version(t, v);
3028 assert_eq!(
3029 p.packet_tag_version_cutoff(t, v),
3030 ACCEPT.map(Into::into));
3031 }
3032
3033 // Reject all hashes.
3034 p.reject_all_packet_tags();
3035
3036 for (t, v) in set_variants.iter().chain(check_variants.iter()).cloned() {
3037 assert_eq!(
3038 p.packet_tag_version_cutoff(t, v),
3039 REJECT.map(Into::into));
3040 }
3041
3042 Ok(())
3043 }
3044
3045 #[test]
3046 fn packet_versions() -> Result<()> {
3047 // Accept the version of a packet. Optionally make sure a
3048 // different version is not accepted.
3049 fn accept_and_check(p: &mut StandardPolicy,
3050 tag: Tag,
3051 accept_versions: &[u8],
3052 good_versions: &[u8],
3053 bad_versions: &[u8]) {
3054 for v in accept_versions {
3055 p.accept_packet_tag_version(tag, *v);
3056 assert_eq!(
3057 p.packet_tag_version_cutoff(tag, *v),
3058 ACCEPT.map(Into::into));
3059 }
3060
3061 for v in good_versions.iter() {
3062 assert_eq!(
3063 p.packet_tag_version_cutoff(tag, *v),
3064 ACCEPT.map(Into::into));
3065 }
3066 for v in bad_versions.iter() {
3067 assert_eq!(
3068 p.packet_tag_version_cutoff(tag, *v),
3069 REJECT.map(Into::into));
3070 }
3071 }
3072
3073 use rand::seq::SliceRandom;
3074 let mut rng = rand::thread_rng();
3075
3076 let mut all_versions = (0..=u8::MAX).collect::<Vec<_>>();
3077 all_versions.shuffle(&mut rng);
3078 let all_versions = &all_versions[..];
3079 let mut not_v5 = all_versions.iter()
3080 .filter(|&&v| v != 5)
3081 .cloned()
3082 .collect::<Vec<_>>();
3083 not_v5.shuffle(&mut rng);
3084 let not_v5 = ¬_v5[..];
3085
3086 let p = &mut StandardPolicy::new();
3087 p.reject_all_packet_tags();
3088
3089 // First only use the versioned interfaces.
3090 accept_and_check(p, Tag::Signature, &[3], &[], &[4, 5]);
3091 accept_and_check(p, Tag::Signature, &[4], &[3], &[5]);
3092
3093 // Only use an unversioned policy.
3094 accept_and_check(p, Tag::SEIP,
3095 &[], // set to accept
3096 &[], // good
3097 all_versions, // bad
3098 );
3099 p.accept_packet_tag(Tag::SEIP);
3100 accept_and_check(p, Tag::SEIP,
3101 &[], // set to accept
3102 all_versions, // good
3103 &[], // bad
3104 );
3105
3106 // Set an unversioned policy and then a versioned policy.
3107 accept_and_check(p, Tag::PKESK,
3108 &[], // set to accept
3109 &[], // good
3110 all_versions, // bad
3111 );
3112 p.accept_packet_tag(Tag::PKESK);
3113 accept_and_check(p, Tag::PKESK,
3114 &[], // set to accept
3115 &(0..u8::MAX).collect::<Vec<_>>()[..], // good
3116 &[], // bad
3117 );
3118 p.reject_packet_tag_version(Tag::PKESK, 5);
3119 accept_and_check(p, Tag::PKESK,
3120 &[], // set to accept
3121 not_v5, // good
3122 &[5], // bad
3123 );
3124
3125 // Set a versioned policy and then an unversioned policy.
3126 // Make sure that the versioned policy is cleared by the
3127 // unversioned policy.
3128 accept_and_check(p, Tag::SKESK,
3129 &[], // set to accept
3130 &[], // good
3131 all_versions, // bad
3132 );
3133 p.accept_packet_tag_version(Tag::SKESK, 5);
3134 accept_and_check(p, Tag::SKESK,
3135 &[], // set to accept
3136 &[5], // good
3137 not_v5, // bad
3138 );
3139 p.reject_packet_tag(Tag::SKESK);
3140 // All versions should be bad now...
3141 accept_and_check(p, Tag::SKESK,
3142 &[], // set to accept
3143 &[], // good
3144 all_versions, // bad
3145 );
3146
3147 Ok(())
3148 }
3149}