use sequoia_openpgp::{
parse::{
stream::{
- DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationHelper,
- VerifierBuilder,
+ DetachedVerifierBuilder, MessageLayer, MessageStructure, VerificationError,
+ VerificationHelper, VerifierBuilder,
},
Parse,
},
policy::StandardPolicy,
+ types::HashAlgorithm,
Cert, KeyHandle,
};
use std::io;
+use crate::config::WeakCryptoConfig;
+
struct Helper<'a> {
cert: &'a Cert,
}
if good {
Ok(()) // Good signature.
} else {
- for err in &errors {
- eprintln!("\t{err}");
+ if errors.len() > 1 {
+ eprintln!("\nEncountered {} errors:", errors.len());
+ }
+
+ for (n, err) in errors.iter().enumerate() {
+ if errors.len() > 1 {
+ eprintln!("\nSignature #{n}: {err}");
+ } else {
+ eprintln!("\n{err}");
+ }
+ match err {
+ VerificationError::MalformedSignature { error, .. }
+ | VerificationError::UnboundKey { error, .. }
+ | VerificationError::BadKey { error, .. }
+ | VerificationError::BadSignature { error, .. } => {
+ let mut cause = error.chain();
+ if cause.len() > 1 {
+ cause.next(); // already included in `err` above
+ eprintln!("Caused by:");
+ for (n, e) in cause.enumerate() {
+ eprintln!("\t{n}: {e}");
+ }
+ }
+ }
+ VerificationError::MissingKey { .. } => {} // doesn't contain a cause
+ };
}
- Err(anyhow::anyhow!("encountered {} error(s)", errors.len()))
+ eprintln!();
+ Err(anyhow::anyhow!("No valid signature found."))
}
}
}
+
+/// Verifies GPG-signed `msg` was signed by `key`, returning the verified data without signature.
pub(crate) fn verify_signature<'msg>(
msg: &'msg [u8],
key: &[u8],
detached_sig: Option<&[u8]>,
+ weak_crypto: &WeakCryptoConfig,
) -> Result<Vec<u8>, Error> {
let cert = Cert::from_bytes(key)?;
- let policy = StandardPolicy::new();
+ let mut policy = StandardPolicy::new();
+ if weak_crypto.allow_sha1 {
+ policy.accept_hash(HashAlgorithm::SHA1);
+ }
+ if let Some(min_dsa) = weak_crypto.min_dsa_key_size {
+ if min_dsa <= 1024 {
+ policy.accept_asymmetric_algo(sequoia_openpgp::policy::AsymmetricAlgorithm::DSA1024);
+ }
+ }
+ if let Some(min_rsa) = weak_crypto.min_rsa_key_size {
+ if min_rsa <= 1024 {
+ policy.accept_asymmetric_algo(sequoia_openpgp::policy::AsymmetricAlgorithm::RSA1024);
+ }
+ }
+
let helper = Helper { cert: &cert };
let verified = if let Some(sig) = detached_sig {