Fixes #5069 - PGP: Encryption fails if any uid is revoked

zammad · Mar 13, 2024 · 7a85098 · 7a85098
1 parent 76887fc
commit 7a85098
Show file tree

Hide file tree

Showing 11 changed files with 72 additions and 4 deletions.
diff --git a/lib/secure_mailing/pgp/outgoing.rb b/lib/secure_mailing/pgp/outgoing.rb
@@ -157,7 +157,7 @@ def encrypted_part(data)
   def encrypted_body(data)
     SecureMailing::PGP::Tool.new.with_private_keyring do |pgp_tool|
       keys.each { |key| pgp_tool.import(key.key) }
-      encrypted_result = pgp_tool.encrypt(data, keys.map(&:email_addresses).flatten)
+      encrypted_result = pgp_tool.encrypt(data, keys.map(&:fingerprint))
 
       encrypted_result[:stdout]
     end

diff --git a/lib/secure_mailing/pgp/tool/parse.rb b/lib/secure_mailing/pgp/tool/parse.rb
@@ -10,6 +10,8 @@ module SecureMailing::PGP::Tool::Parse
   PGP_KEY_INFO_EXPIRES_AT_TIMESTAMP = 6
   PGP_KEY_INFO_CREATED_AT_TIMESTAMP = 5
   PGP_KEY_INFO_UID = 9
+  PGP_KEY_INFO_UID_VALIDITY = 1
+  PGP_KEY_INFO_UID_INVALID_STATE = %w[i d r n].freeze
 
   included do # rubocop:disable Metrics/BlockLength
 
@@ -43,7 +45,8 @@ def parse_info(data)
         info[:fingerprint] = fingerprint(fpr)
 
         uids = chunks.select { |chunk| chunk.start_with?('uid') }
-        info[:uids] = uids.map { |uid| uid(uid) }
+        uids = uids.map { |uid| uid(uid) }
+        info[:uids] = uids.compact
       end
 
       PGP_KEY_INFO.new(*info.values)
@@ -68,7 +71,10 @@ def fingerprint(chunk)
     end
 
     def uid(chunk)
-      chunk.split(':').fetch(PGP_KEY_INFO_UID)
+      hunks = chunk.split(':')
+      return nil if PGP_KEY_INFO_UID_INVALID_STATE.include?(hunks.fetch(PGP_KEY_INFO_UID_VALIDITY))
+
+      hunks.fetch(PGP_KEY_INFO_UID)
     end
 
     def secret?(chunks)

diff --git a/spec/fixtures/files/pgp/zammad@localhost.revuid.created_at b/spec/fixtures/files/pgp/zammad@localhost.revuid.created_at
@@ -0,0 +1 @@
+2024-03-12T07:15:46Z
diff --git a/spec/fixtures/files/pgp/zammad@localhost.revuid.expires_at b/spec/fixtures/files/pgp/zammad@localhost.revuid.expires_at
@@ -0,0 +1 @@
+never
diff --git a/spec/fixtures/files/pgp/zammad@localhost.revuid.fingerprint b/spec/fixtures/files/pgp/zammad@localhost.revuid.fingerprint
@@ -0,0 +1 @@
+3B2616D73D3C61878F20060D663032CA5D39C8E6
diff --git a/spec/fixtures/files/pgp/zammad@localhost.revuid.passphrase b/spec/fixtures/files/pgp/zammad@localhost.revuid.passphrase
@@ -0,0 +1 @@
+zammad
diff --git a/spec/fixtures/files/pgp/zammad@localhost.revuid.pgp b/spec/fixtures/files/pgp/zammad@localhost.revuid.pgp
diff --git a/spec/fixtures/files/pgp/zammad@localhost.revuid.pub.asc b/spec/fixtures/files/pgp/zammad@localhost.revuid.pub.asc
@@ -0,0 +1,44 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBGXwASIBCADEpEEa9mBMN5wrOlt3gRa+1Y3mkXsLv2ArU+Umz2Tq6cCUL3GP
+WktnaFqEhxXAGNzoEhp1fAzrS2WD8xoJ36mzPQ5VB3jL8/XoUJnJLe1wJjPO9ctu
+1UxNMzbPYQ5Tz/2gcsebLJ1mnksaaWUjiApN9iz5dkF9cmOlsN1glxFbujEwE20V
+9F6276Dbj9MoKcJhbra1Rm8socJs397fTdGlGQ5FQ5gZ1YP7NVrSze2mTdF7kxlP
+XoyNZ1NRhuHip7WR7Z7VmHwq2SgY+JL09ZbvTUq1fR7qbOPLbydv6U1eDUt9fsmT
+5GdFwTfjPd07IlRPduZL03/4MkjOGAnR89YDABEBAAG0EHphbW1hZEBsb2NhbGhv
+c3SJAU4EEwEKADgWIQQ7JhbXPTxhh48gBg1mMDLKXTnI5gUCZfABIgIbAwULCQgH
+AgYVCgkICwIEFgIDAQIeAQIXgAAKCRBmMDLKXTnI5kCBCADByeqnwtZ6S2PbKnNm
+kQfF57PwU4YEU0JaiFZTI3oL3w2LO3x+G4qTzStU6vWKmHrObkJQX4B8ZVzLYsNp
+6cySYGpKZzY2H4KBnp53b3Gmi6of8/CJCrl6SyjkJ//Q6vrz4ViRFXcGHnmTZSJ2
+c4y7WR86cBXN9ea3HN3DxJIEPO93zx9tbz2nglyTTIhKjemIPIVuID02m6T5nwdQ
+2hFuYfqQ+ZKNfxi6T1sbaMl2U0F/ra39txdG1Wh/xccsYH0ObEa5yJOQrIjZLrD3
+uI+3+qvqTGJsBP0hu6dWD+b2LUW6RNJAeGdpIYNeap/czExvsnYTznzULGG1+Wu2
+RJe2tBF6YW1tYWRAbG9rYWxob3JzdIkBNgQwAQoAIBYhBDsmFtc9PGGHjyAGDWYw
+MspdOcjmBQJl8AGuAh0AAAoJEGYwMspdOcjmH6oIALzc2z+G9vTlJriUuLf8jzqc
+Gweaj9CIr796UldR/Q+fVwSw6iOb8vazztj+tYeim0AxrXGJ29euK8fhieJgaKLl
+9N421PpVktp8HIa/XMyyLcgWbGhgJz7yNQOn78NQP3Eeg2WAwOZMbFMICnC7Qjw7
+c53rx0l2M/MXJYLfPUmpWNY9/TigL38h/yVr/xw5Qg2CQSc58gx0fgRfpzktNF4s
+prVeKdsJOfowMUA3d4d2XQGSy8MQkqRwPyyjHc8XIgU5kLcLogExzoSCweAP9Ed2
+Xmh2yPB+EYw4p2WIITcqJ72iyJJjMHSKxf5gyDki+lsjaOTYs0AgixHZQ4gn4LyJ
+AU4EEwEKADgWIQQ7JhbXPTxhh48gBg1mMDLKXTnI5gUCZfABmAIbAwULCQgHAgYV
+CgkICwIEFgIDAQIeAQIXgAAKCRBmMDLKXTnI5mOHB/kBYlZMgnb4ydQMY2GrVeCt
+QtNhPBnQ4VmKfoDZq2G9hlNVxfYOn9RFD/0EMc8DyebBEho9lWCcb3lhh0wdSrxp
+IR1nnXsC3Hdnwkncc+W4FMzW7/V2fZHd8p4Qd0qx61yQLYLzHB0BVCbwtDRrkYhM
+kE5VmuA10i9H7fXlWihtpfUUYn6z3hSJwMaX4kXAlDyMtD6K5s+QjTTLQscWoey+
+iTSrx5VX8842gRkQ8vFyXdURhl2vb0lUPMq3f6/NlfF6h9CRvDd/K+/3nuhRXcf1
+HET/ryHxpsedJaOhYrnxZlldnrhQGazUcX2RB6J5Je60zJ3O2+AfvyHyuxI8f230
+uQENBGXwASIBCADAKoypEcWB9uQLQzVyEGcMz+x+h1PkY1r04bc/OjijCNH2WuVn
+1eow11s3ZWBCI6TphvrqE+wVkkg8/fbI16R3Hz7tNJy0t6Md67CxYzGJm0Mxjsu+
+3jaOX1XKEQ2FtZDEA1r0fDppzYMCC2WBLE1VSExOf3R9w9069e/hPTlukB/HAXOC
+47ofSO5NZ9TPUAr6wK/k/2VcRYy6cykBPmsqKhz7Vvmx0+bWm9Z1FZAVs7tUjJ/w
++BgRzRXfAZBhBEs8PyCjVVJa241pe4YfRskbz8LVaU1m98GLHWHAwJjAZd1pjTo1
+bWiBP6frdeypIjyenLLn9kD7a/8Pd/0MS+S7ABEBAAGJATYEGAEKACAWIQQ7JhbX
+PTxhh48gBg1mMDLKXTnI5gUCZfABIgIbDAAKCRBmMDLKXTnI5igRCACDE6YbW8na
+14OkOn+C8kPuC5Yh5tp4lWGy8eE4krgwMkhFr08qNG+VmgsaapmglGBfrrTp7PEP
+OkhpP6tHKJbi48sXyXt8MC90s0esPDN1m7e7c37sunhIGS68DJuCZOlRyws8AaKz
+cmldlCJSWxZ+1JdUHqhekWf4GnoOUiJGsWrbMDH5tLPtUmFnx5dLrVbq6GiEsPbk
+HrLU3huCvgAbUc6K9BAClS3bo37ODbNlFYwmaGuGVu0Gp5ki4sI9i63rTDZexJpn
+og+eG4Lerq0Y4rtt38gxb9nvUHmhaZPdUoeWpQjgSkOP9cjSLxpgOixL2Kalh4v3
+Qew4fh29ogX/
+=0iOZ
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/spec/fixtures/files/pgp/zammad@localhost.revuid.pub.pgp b/spec/fixtures/files/pgp/zammad@localhost.revuid.pub.pgp
diff --git a/spec/fixtures/files/pgp/zammad@localhost.revuid.uid b/spec/fixtures/files/pgp/zammad@localhost.revuid.uid
@@ -0,0 +1 @@
+zammad@lokalhorst
diff --git a/spec/lib/secure_mailing/pgp/tool_spec.rb b/spec/lib/secure_mailing/pgp/tool_spec.rb
@@ -114,7 +114,7 @@
       end
     end
 
-    context 'with an key including a revoked subkey' do
+    context 'with an key including a revoke subkey' do
       let(:key)         { FIXTURES_FILES_PATH.join('zammad@localhost.revoker.pub.asc').read }
       let(:fingerprint) { FIXTURES_FILES_PATH.join('zammad@localhost.revoker.fingerprint').read }
       let(:created_at)  { DateTime.parse(FIXTURES_FILES_PATH.join('zammad@localhost.revoker.created_at').read) }
@@ -124,6 +124,19 @@
         expect(info).to have_attributes(fingerprint: fingerprint, uids: ['zammad@localhost'], created_at: created_at, expires_at: expires_at, secret: false)
       end
     end
+
+    context 'with an key including a revoked uid' do
+      let(:key)         { FIXTURES_FILES_PATH.join('zammad@localhost.revuid.pub.asc').read }
+      let(:fingerprint) { FIXTURES_FILES_PATH.join('zammad@localhost.revuid.fingerprint').read }
+      let(:created_at)  { DateTime.parse(FIXTURES_FILES_PATH.join('zammad@localhost.revuid.created_at').read) }
+      let(:expires_at)  { nil }
+      let(:revuid)      { FIXTURES_FILES_PATH.join('zammad@localhost.revuid.uid').read }
+
+      it 'returns information of a public key successfully' do
+        expect(info.uids.exclude?(revuid)).to be true
+        expect(info).to have_attributes(fingerprint: fingerprint, uids: ['zammad@localhost'], created_at: created_at, expires_at: expires_at, secret: false)
+      end
+    end
   end
 
   describe '#export' do