From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 8 Jul 2008 12:33:06 +0000 (+0200)
Subject: Check that the primary key is not expired, even if we get a GOODSIG status from
X-Git-Tag: userdir-ldap-0.3.34~1
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=commitdiff_plain;h=ad01f23258ec16be62e092ab4deb4a31fc3163d5

Check that the primary key is not expired, even if we get a GOODSIG status from
gnupg.  Based on patch by Jeremy T. Bouse
---

diff --git a/debian/changelog b/debian/changelog
index 9fb1088..c4e7c56 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,8 +9,10 @@ userdir-ldap (0.3.XX) unstable; urgency=low
   * userdir_gpg.py
     - do not use SIGEXPIRED, it's deprecated
     - use EXPKEYSIG to tell if a signature is made by an expired key.
+    - Check that the primary key is not expired, even if we get a
+      GOODSIG status from gnupg.  Based on patch by Jeremy T. Bouse.
 
- -- Peter Palfrader <weasel@debian.org>  Tue, 08 Jul 2008 14:17:57 +0200
+ -- Peter Palfrader <weasel@debian.org>  Tue, 08 Jul 2008 14:27:26 +0200
 
 userdir-ldap (0.3.33) unstable; urgency=low
 
diff --git a/userdir_gpg.py b/userdir_gpg.py
index 273ac47..c883d14 100644
--- a/userdir_gpg.py
+++ b/userdir_gpg.py
@@ -343,7 +343,15 @@ def GPGCheckSig(Message):
 	       GoodSig = 1;
 	    KeyID = Split[2];
 	    Owner = ' '.join(Split[3:])
-	    
+	    # If this message is signed with a subkey which has not yet
+	    # expired, GnuPG will say GOODSIG here, even if the primary
+	    # key already has expired.  This came up in discussion of
+	    # bug #489225.  GPGKeySearch only returns non-expired keys.
+	    Verify = GPGKeySearch(KeyID);
+	    if len(Verify) == 0:
+	       GoodSig = 0
+	       Why = "Key has expired (no unexpired key found in keyring matching %s)"%(KeyId);
+
 	 # Bad signature response
 	 if Split[1] == "BADSIG":
 	    GoodSig = 0;
@@ -426,6 +434,8 @@ def GPGCheckSig(Message):
 # to GPG for processing. The result is a list of tuples of the form:
 #   (KeyID,KeyFinger,Owner,Length)
 # Which is similar to the key identification tuple output by GPGChecksig
+#
+# Do not return keys where the primary key has expired
 def GPGKeySearch(SearchCriteria):
    Args = [GPGPath] + GPGBasicOptions + GPGKeyRings + GPGSearchOptions + \
           [SearchCriteria," 2> /dev/null"]
@@ -433,6 +443,7 @@ def GPGKeySearch(SearchCriteria):
    Result = [];
    Owner = "";
    KeyID = "";
+   Expired = None;
    Hits = {};
 
    dir = os.path.expanduser("~/.gnupg")
@@ -454,13 +465,15 @@ def GPGKeySearch(SearchCriteria):
             KeyID = Split[4];
             Owner = Split[9];
             Length = int(Split[2]);
+            Expired = Split[1] == 'e'
 
          # Output the key
          if Split[0] == 'fpr':
             if Hits.has_key(Split[9]):
                continue;
             Hits[Split[9]] = None;
-            Result.append( (KeyID,Split[9],Owner,Length) );
+            if not Expired:
+               Result.append( (KeyID,Split[9],Owner,Length) );
    finally:
       if Strm != None:
          Strm.close();