From 6cf5f07958889e2ee99ce04dd203ef7db4700eb3 Mon Sep 17 00:00:00 2001 From: "Neal H. Walfield" Date: Tue, 29 Mar 2022 13:41:18 +0200 Subject: [PATCH] Before importing an OpenPGP certificate, lint it When importing an OpenPGP certificate, lint the certificate to show the user possible issues. Fail if the certificate is completely unusable. Using the Sequoia backend, this yields, for instance: $ ./rpmkeys --import tests/data/keys/alice-revoked-subkey.asc Certificate B3A771BFEB04E625: Subkey 1F71177215217EE0 was revoked: Key material has been compromised, it was the maid Certificate does not have any usable signing keys Fixes #1974. (cherry pick d703160334ff545ce8bf7475da5689422f43dacc) --- include/rpm/rpmpgp.h | 26 ++++++++++++++++++++++++++ lib/rpmts.c | 15 +++++++++++++++ rpmio/rpmpgp_internal.c | 5 +++++ 3 files changed, 46 insertions(+) diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h index 7e0daf5ab5..a3238a6439 100644 --- a/include/rpm/rpmpgp.h +++ b/include/rpm/rpmpgp.h @@ -1069,6 +1069,32 @@ pgpArmor pgpParsePkts(const char *armor, uint8_t ** pkt, size_t * pktlen); */ int pgpPubKeyCertLen(const uint8_t *pkts, size_t pktslen, size_t *certlen); +/** \ingroup rpmpgp + * Lints the certificate. + * + * There are four cases: + * + * The packets do not describe a certificate: returns an error and + * sets *explanation to NULL. + * + * The packets describe a certificate and the certificate is + * completely unusable: returns an error and sets *explanation to a + * human readable explanation. + * + * The packets describe a certificate and some components are not + * usable: returns success, and sets *explanation to a human readable + * explanation. + * + * The packets describe a certificate and there are no lints: returns + * success, and sets *explanation to NULL. + * + * @param pkts OpenPGP pointer to a buffer with certificates + * @param pktslen length of the buffer with certificates + * @param[out] explanation An optional lint to display to the user. + * @return RPMRC_OK on success + */ +rpmRC pgpPubKeyLint(const uint8_t *pkts, size_t pktslen, char **explanation); + /** \ingroup rpmpgp * Wrap a OpenPGP packets in ascii armor for transport. * @param atype type of armor diff --git a/lib/rpmts.c b/lib/rpmts.c index 3de456af9b..0b6b7ac6be 100644 --- a/lib/rpmts.c +++ b/lib/rpmts.c @@ -604,6 +604,7 @@ rpmRC rpmtsImportPubkey(const rpmts ts, const unsigned char * pkt, size_t pktlen { Header h = NULL; rpmRC rc = RPMRC_FAIL; /* assume failure */ + char *lints = NULL; rpmPubkey pubkey = NULL; rpmPubkey *subkeys = NULL; int subkeysCount = 0; @@ -615,6 +616,20 @@ rpmRC rpmtsImportPubkey(const rpmts ts, const unsigned char * pkt, size_t pktlen if (txn == NULL) return rc; + krc = pgpPubKeyLint(pkt, pktlen, &lints); + if (lints) { + if (krc != RPMRC_OK) { + rpmlog(RPMLOG_ERR, "%s\n", lints); + } else { + rpmlog(RPMLOG_WARNING, "%s\n", lints); + } + free(lints); + } + if (krc != RPMRC_OK) { + rc = krc; + goto exit; + } + /* XXX keyring wont load if sigcheck disabled, force it temporarily */ rpmtsSetVSFlags(ts, (oflags & ~RPMVSF_MASK_NOSIGNATURES)); keyring = rpmtsGetKeyring(ts, 1); diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c index cd42dcf715..d0c9a55706 100644 --- a/rpmio/rpmpgp_internal.c +++ b/rpmio/rpmpgp_internal.c @@ -1431,3 +1431,8 @@ char * pgpArmorWrap(int atype, const unsigned char * s, size_t ns) return val; } +rpmRC pgpPubKeyLint(const uint8_t *pkts, size_t pktslen, char **explanation) +{ + *explanation = NULL; + return RPMRC_OK; +}