CondorCORE/condorcore-keyring
CondorCORE/condorcore-keyring
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(trust): do not count revoked main keys for packager trust

Browse Source 
If a main key is revoked we do not want to use those keys to count
the required trust threshold.
This commit is contained in:
Levente Polyak 2022-02-25 21:36:35 +01:00
parent bae4859fd8
commit f908838822
No known key found for this signature in database
GPG Key ID: FC1B547C8D8172C8
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libkeyringctl/trust.py
View File

@ -85,6 +85,14 @@ def certificate_trust( # noqa: ignore=C901
""" """
fingerprint: Fingerprint = Fingerprint(certificate.name) fingerprint: Fingerprint = Fingerprint(certificate.name)
keyring_root = certificate.parent.parent.parent
# collect revoked main keys
main_keys_revoked: Set[Fingerprint] = set()
for main_key in main_keys:
for revocation in keyring_root.glob(f"main/*/{main_key}/revocation/*.asc"):
if main_key.endswith(revocation.stem):
main_keys_revoked.add(main_key)
revocations: Set[Fingerprint] = set() revocations: Set[Fingerprint] = set()
# TODO: what about direct key revocations/signatures? # TODO: what about direct key revocations/signatures?
@ -131,6 +139,9 @@ def certificate_trust( # noqa: ignore=C901
# only take main key certifications into account # only take main key certifications into account
if not contains_fingerprint(fingerprints=main_keys, fingerprint=issuer): if not contains_fingerprint(fingerprints=main_keys, fingerprint=issuer):
continue continue
# do not care about revoked main keys
if contains_fingerprint(fingerprints=main_keys_revoked, fingerprint=issuer):
continue
# do not care about certifications that are revoked # do not care about certifications that are revoked
if contains_fingerprint(fingerprints=revocations, fingerprint=issuer): if contains_fingerprint(fingerprints=revocations, fingerprint=issuer):
continue continue

17
tests/test_trust.py
View File

@ -161,6 +161,23 @@ def test_certificate_trust_three_main_signature_gives_full_trust(working_dir: Pa
assert Trust.full == trust assert Trust.full == trust
@create_certificate(username=Username("main1"), uids=[Uid("main1 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("main2"), uids=[Uid("main2 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("main3"), uids=[Uid("main3 <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")])
@create_uid_certification(issuer=Username("main1"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_uid_certification(issuer=Username("main2"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_uid_certification(issuer=Username("main3"), certified=Username("foobar"), uid=Uid("foobar <foo@bar.xyz>"))
@create_key_revocation(username=Username("main3"), keyring_type="main")
def test_certificate_trust_three_main_signature_one_revoked(working_dir: Path, keyring_dir: Path) -> None:
trust = certificate_trust(
test_keyring_certificates[Username("foobar")][0],
test_main_fingerprints,
test_all_fingerprints,
)
assert Trust.marginal == trust
@create_certificate(username=Username("main"), uids=[Uid("main <foo@bar.xyz>")], keyring_type="main") @create_certificate(username=Username("main"), uids=[Uid("main <foo@bar.xyz>")], keyring_type="main")
@create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")]) @create_certificate(username=Username("foobar"), uids=[Uid("foobar <foo@bar.xyz>")])
@create_key_revocation(username=Username("foobar")) @create_key_revocation(username=Username("foobar"))