diff options
| author | Neal H. Walfield <[email protected]> | 2016-10-13 10:44:59 +0000 |
|---|---|---|
| committer | Neal H. Walfield <[email protected]> | 2016-10-13 10:44:59 +0000 |
| commit | 4c0389f8eb19ae7dfd9c5d784a629b386d93cc5c (patch) | |
| tree | de7bab354ce89648d13551ff6d7faac989760e0d /tests/openpgp/tofu.scm | |
| parent | g10: Still check if the key is an UTK or cross signed in batch mode. (diff) | |
| download | gnupg-4c0389f8eb19ae7dfd9c5d784a629b386d93cc5c.tar.gz gnupg-4c0389f8eb19ae7dfd9c5d784a629b386d93cc5c.zip | |
g10: Be more careful when checking cross signatures.
* g10/tofu.c (cross_sigs): When checking cross signatures, only
consider the signatures on the specified user id.
* tests/openpgp/tofu.scm: Add test for the above.
* tests/openpgp/tofu/cross-sigs/
1938C3A0E4674B6C217AC0B987DB2814EC38277E-1.gpg:
New file.
* tests/openpgp/tofu/cross-sigs/
1938C3A0E4674B6C217AC0B987DB2814EC38277E-1.txt: New file.
* tests/openpgp/tofu/cross-sigs/
1938C3A0E4674B6C217AC0B987DB2814EC38277E-2.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
1938C3A0E4674B6C217AC0B987DB2814EC38277E-2.txt: New file.
* tests/openpgp/tofu/cross-sigs/
1938C3A0E4674B6C217AC0B987DB2814EC38277E-3.txt: New file.
* tests/openpgp/tofu/cross-sigs/
1938C3A0E4674B6C217AC0B987DB2814EC38277E-secret.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
DC463A16E42F03240D76E8BA8B48C6BD871C2247-1.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
DC463A16E42F03240D76E8BA8B48C6BD871C2247-1.txt: New file.
* tests/openpgp/tofu/cross-sigs/
DC463A16E42F03240D76E8BA8B48C6BD871C2247-2.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
DC463A16E42F03240D76E8BA8B48C6BD871C2247-2.txt: New file.
* tests/openpgp/tofu/cross-sigs/
DC463A16E42F03240D76E8BA8B48C6BD871C2247-3.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
DC463A16E42F03240D76E8BA8B48C6BD871C2247-3.txt: New file.
* tests/openpgp/tofu/cross-sigs/
DC463A16E42F03240D76E8BA8B48C6BD871C2247-4.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
DC463A16E42F03240D76E8BA8B48C6BD871C2247-secret.gpg: New file.
* tests/openpgp/tofu/cross-sigs/README: New file.
--
Signed-off-by: Neal H. Walfield
Diffstat (limited to 'tests/openpgp/tofu.scm')
| -rwxr-xr-x | tests/openpgp/tofu.scm | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/tests/openpgp/tofu.scm b/tests/openpgp/tofu.scm index e514ddfd1..96f7abe7a 100755 --- a/tests/openpgp/tofu.scm +++ b/tests/openpgp/tofu.scm @@ -159,3 +159,76 @@ (checkpolicy "BC15C85A" "ask") (checkpolicy "2183839A" "bad") (checkpolicy "EE37CF96" "ask") + + + +;; Check that we detect the following attack: +;; +;; Alice and Bob each have a key and cross sign them. Bob then adds a +;; new user id, "Alice". TOFU should now detect a conflict, because +;; Alice only signed Bob's "Bob" user id. + +(display "Checking cross sigs...\n") +(define GPG `(,(tool 'gpg) --no-permission-warning + --faked-system-time=1476304861)) + +;; Carefully remove the TOFU db. +(catch '() (unlink (string-append GNUPGHOME "/tofu.db"))) + +(define DIR "tofu/cross-sigs") +;; The test keys. +(define KEYA "1938C3A0E4674B6C217AC0B987DB2814EC38277E") +(define KEYB "DC463A16E42F03240D76E8BA8B48C6BD871C2247") + +(define (verify-messages) + (for-each + (lambda (key) + (for-each + (lambda (i) + (let ((fn (in-srcdir DIR (string-append key "-" i ".txt")))) + (call-check `(,@GPG --trust-model=tofu --verify ,fn)))) + (list "1" "2"))) + (list KEYA KEYB))) + +;; Import the public keys. +(display " > Two keys. ") +(call-check `(,@GPG --import ,(in-srcdir DIR (string-append KEYA "-1.gpg")))) +(call-check `(,@GPG --import ,(in-srcdir DIR (string-append KEYB "-1.gpg")))) +;; Make sure the tofu engine registers the keys. +(verify-messages) +(display "<\n") + +;; Since their is no conflict, the policy should be auto. +(checkpolicy KEYA "auto") +(checkpolicy KEYB "auto") + +;; Import the cross sigs. +(display " > Adding cross signatures. ") +(call-check `(,@GPG --import ,(in-srcdir DIR (string-append KEYA "-2.gpg")))) +(call-check `(,@GPG --import ,(in-srcdir DIR (string-append KEYB "-2.gpg")))) +(verify-messages) +(display "<\n") + +;; There is still no conflict, so the policy shouldn't have changed. +(checkpolicy KEYA "auto") +(checkpolicy KEYB "auto") + +;; Import the conflicting user id. +(display " > Adding conflicting user id. ") +(call-check `(,@GPG --import ,(in-srcdir DIR (string-append KEYB "-3.gpg")))) +(call-check `(,@GPG --trust-model=tofu + --verify ,(in-srcdir DIR (string-append KEYB "-1.txt")))) +(verify-messages) +(display "<\n") + +(checkpolicy KEYA "ask") +(checkpolicy KEYB "ask") + +;; Import Alice's signature on the conflicting user id. +(display " > Adding cross signature on user id. ") +(call-check `(,@GPG --import ,(in-srcdir DIR (string-append KEYB "-4.gpg")))) +(verify-messages) +(display "<\n") + +(checkpolicy KEYA "auto") +(checkpolicy KEYB "auto") |