easier revocation checks #225
Comments
|
so this can partly be done right now, provided that you have the key material of the delegated revokers. for keyclass, algo, fingerprint in somekey.revocation_keys():
if fingerprint == somekey.fingerprint:
revoker = somekey
else:
revoker = PGPkey.from_thin_air(fingerprint) # obviously that part is missing
revoker.verify(somekey, somekey.revocation_signatures())the challenge here, obviously is to verify revocation on |
|
looking at this comment it seems the above code misses some key part of the RFC, namely that the keyclass and algo fields match the signature as well, something that |
It may not be obvious for users of the API that we can get the list of revoker keys for a given key from the (private) _signature list, so add a convenient accessor. This is not really useful right now because it will raise a NotImplementedError if any such signature is found, but will become actually quite useful once SecurityInnovation#198 lands. This is part of the process to make revocation checks easier in SecurityInnovation#225.
|
and obviously, this doesn't actually work: for keyclass, algo, fingerprint in somekey.revocation_keys():so I made #227 to fix that. |
|
so here's how i implemented this so far: instead of relying on a blind def is_revoked(subkey, primary=None):
revoker = primary or subkey
for sig in key.revocation_signatures(): # needs #227
if sig.signer != revoker.fingerprint.keyid:
continue
verified = revoker.verify(key, sig)
if verified:
return verified
return False... and that's just for self-signatures. for revoker delegation, we'll probably need to turn that into a set of revokers and dynamically load the public key material for those folks in my program. |
It may not be obvious for users of the API that we can get the list of revoker keys for a given key from the (private) _signature list, so add a convenient accessor. This is not really useful right now because it will raise a NotImplementedError if any such signature is found, but will become actually quite useful once SecurityInnovation#198 lands. This is part of the process to make revocation checks easier in SecurityInnovation#225.
|
and yes, this could be part of the PGPKey API, which would be, as @Commod0re suggested, "did key A revoke key B" semantics: def revoked(self, key):
for sig in revocation_signatures(key): # needs #227
if sig.signer not in {self.fingerprint.keyid} | set(self.subkeys):
continue
logging.debug('checking revocation signature %r', sig)
verified = self.verify(key, sig)
if verified:
return verified
return False(Maybe SignatureVerification elements could be aggregated here somhow and be returned in one shot.) Then this would be used like this: revoker = primary or subkey
if revoker.revoked(subkey):
return True
revokers = list(subkey.revocation_keys())
for revoker in [PGPKey.from_keyserver(x) for x in revokers]:
if revoker.revoked(subkey):
return Truelogic like this is now defined in how does that look? |
There is a neat
is_expiredproperty in the PGPKey class. We should also have ais_revokedproperty to easily check if a key is revoked. That property should:The latter may require this to be a real function, not a property, because we may have to pass public key material to verify the revocation signature, in case of third-party revocations. With RFCbis, the full fingerprint is attached to signatures, so we may be able to check against that, but that seems flaky as well: that field is just indicative...
So I'm not sure this can be a property. Maybe this could be an indicative
is_revokedproperty that needs to be checked with an actualverifyusing actual public key material.The text was updated successfully, but these errors were encountered: