From b2bea751aa3458e6cd2825cc2fa953c0d3157c7c Mon Sep 17 00:00:00 2001 From: csoler Date: Sat, 7 Dec 2013 14:29:46 +0000 Subject: [PATCH] restriction to only accept self-signed certificates for friend keys git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@6928 b45a01b8-16f6-495d-af2f-9b41ad6348cc --- libretroshare/src/pgp/pgphandler.cc | 43 ++++++++++++++++++- .../src/tests/pgp/test_certificate.cc | 6 +-- 2 files changed, 43 insertions(+), 6 deletions(-) diff --git a/libretroshare/src/pgp/pgphandler.cc b/libretroshare/src/pgp/pgphandler.cc index 6f9b0eaf1..d3cc9071c 100644 --- a/libretroshare/src/pgp/pgphandler.cc +++ b/libretroshare/src/pgp/pgphandler.cc @@ -954,12 +954,51 @@ bool PGPHandler::LoadCertificateFromString(const std::string& pgp_cert,PGPIdType free(mem) ; error_string.clear() ; + // Check that there is exactly one key in this data packet. + // + if(tmp_keyring->nkeys != 1) + { + std::cerr << "Loaded certificate contains more than one PGP key. This is not allowed." << std::endl; + error_string = "Loaded certificate contains more than one PGP key. This is not allowed." ; + return false ; + } + + // Check that the key is correctly self-signed. + // + const ops_keydata_t *keydata = ops_keyring_get_key_by_index(tmp_keyring,0); + + ops_validate_result_t* result=(ops_validate_result_t*)ops_mallocz(sizeof *result); + + if(!ops_validate_key_signatures(result,keydata,tmp_keyring,cb_get_passphrase)) + { + std::cerr << "Cannot validate self-signature for this certificate. Format error?" << std::endl; + error_string = "Cannot validate self signature for this certificate. Format error?" ; + return false ; + } + + bool found = false ; + + for(uint32_t i=0;ivalid_count;++i) + if(!memcmp((unsigned char*)result->valid_sigs[i].signer_id,keydata->key_id,KEY_ID_SIZE)) + { + found = true ; + break ; + } + + if(!found) + { + error_string = "This key is not self-signed. This is required by Retroshare." ; + std::cerr << "This key is not self-signed. This is required by Retroshare." << std::endl; + ops_validate_result_free(result); + return false ; + } + ops_validate_result_free(result); + #ifdef DEBUG_PGPHANDLER std::cerr << " Key read correctly: " << std::endl; -#endif ops_keyring_list(tmp_keyring) ; +#endif - const ops_keydata_t *keydata = NULL ; int i=0 ; while( (keydata = ops_keyring_get_key_by_index(tmp_keyring,i++)) != NULL ) diff --git a/libretroshare/src/tests/pgp/test_certificate.cc b/libretroshare/src/tests/pgp/test_certificate.cc index b27c34de1..6659ea86a 100644 --- a/libretroshare/src/tests/pgp/test_certificate.cc +++ b/libretroshare/src/tests/pgp/test_certificate.cc @@ -85,6 +85,7 @@ int main(int argc,char *argv[]) std::string name ; std::list signers ; + PGPHandler::setPassphraseCallback(pgp_pwd_cb) ; PGPHandler handler("toto1","toto2","toto3","toto4") ; handler.getGPGDetailsFromBinaryBlock(cert.pgp_key(),cert.pgp_key_size(),key_id,name,signers) ; @@ -114,10 +115,7 @@ int main(int argc,char *argv[]) std::string error_string ; PGPIdType found_id ; - PGPHandler::setPassphraseCallback(pgp_pwd_cb) ; - PGPHandler pgph("pubring.pgp","secring.pgp","trustdb.pgp","lock") ; - - bool result = pgph.LoadCertificateFromString(res,found_id,error_string) ; + bool result = handler.LoadCertificateFromString(res,found_id,error_string) ; if(!result) std::cerr << "Certificate error: " << error_string << std::endl;