From 1da603b1698f8d8c8e969a3b7b86d6c35163f945 Mon Sep 17 00:00:00 2001 From: Aron Wussler Date: Tue, 21 Mar 2023 10:20:39 +0100 Subject: [PATCH] Resign keys and relax flag requirements --- openpgp/forwarding.go | 10 +++++++--- openpgp/forwarding_test.go | 22 ++++++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/openpgp/forwarding.go b/openpgp/forwarding.go index 3e447782d..c201b03d4 100644 --- a/openpgp/forwarding.go +++ b/openpgp/forwarding.go @@ -33,7 +33,6 @@ func (e *Entity) NewForwardingEntity( now := config.Now() i := e.PrimaryIdentity() if e.PrimaryKey.KeyExpired(i.SelfSignature, now) || // primary key has expired - i.SelfSignature == nil || // user ID has no self-signature i.SelfSignature.SigExpired(now) || // user ID self-signature has expired e.Revoked(now) || // primary key has been revoked i.Revoked(now) { // user ID has been revoked @@ -70,8 +69,7 @@ func (e *Entity) NewForwardingEntity( // Handle all forwarder subkeys for _, forwarderSubKey := range e.Subkeys { // Filter flags - if !forwarderSubKey.Sig.FlagsValid || forwarderSubKey.Sig.FlagCertify || forwarderSubKey.Sig.FlagSign || - forwarderSubKey.Sig.FlagAuthenticate || forwarderSubKey.Sig.FlagGroupKey { + if !forwarderSubKey.PublicKey.PubKeyAlgo.CanEncrypt() { continue } @@ -152,6 +150,12 @@ func (e *Entity) NewForwardingEntity( // 0x40 - This key may be used for forwarded communications. forwardeeSubKey.Sig.FlagForward = true + // Re-sign subkey binding signature + err = forwardeeSubKey.Sig.SignKey(forwardeeSubKey.PublicKey, forwardeeKey.PrivateKey, config) + if err != nil { + return nil, nil, err + } + // Append each valid instance to the list instances = append(instances, instance) } diff --git a/openpgp/forwarding_test.go b/openpgp/forwarding_test.go index e32e9d517..2267c4ca6 100644 --- a/openpgp/forwarding_test.go +++ b/openpgp/forwarding_test.go @@ -83,6 +83,8 @@ func TestForwardingFull(t *testing.T) { t.Fatal(err) } + charlesEntity = serializeAndParseForwardeeKey(t, charlesEntity) + if len(instances) != 1 { t.Fatalf("invalid number of instances, expected 1 got %d", len(instances)) } @@ -147,6 +149,8 @@ func TestForwardingFull(t *testing.T) { t.Fatal(err) } + danielEntity = serializeAndParseForwardeeKey(t, danielEntity) + secondTransformed := transformTestMessage(t, transformed, secondForwardInstances[0]) // Decrypt forwarded message for Charles @@ -203,3 +207,21 @@ Loop: return transformed } + +func serializeAndParseForwardeeKey(t *testing.T, key *Entity) *Entity { + serializedEntity := bytes.NewBuffer(nil) + err := key.SerializePrivateWithoutSigning(serializedEntity, nil) + if err != nil { + t.Fatalf("Error in serializing forwardee key: %s", err) + } + el, err := ReadKeyRing(serializedEntity) + if err != nil { + t.Fatalf("Error in reading forwardee key: %s", err) + } + + if len(el) != 1 { + t.Fatalf("Wrong number of entities in parsing, expected 1, got %d", len(el)) + } + + return el[0] +}