Add tests for setting of designated revoker.

rnpgp · Dec 28, 2023 · b17e096 · b17e096
1 parent 79adb37
commit b17e096
Show file tree

Hide file tree

Showing 2 changed files with 161 additions and 0 deletions.
diff --git a/src/tests/data/test_stream_key_load/ecc-25519-2subs-sec.asc b/src/tests/data/test_stream_key_load/ecc-25519-2subs-sec.asc
@@ -0,0 +1,36 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xYYEWsN6MBYJKwYBBAHaRw8BAQdAAS+nkv9BdVi0JX7g6d+O201bdKhdowbielOougCpCfj+BwMC
+kuClwXrc7H3i9J2+l5bS6+TGJVRP2/yrh9tCcsgmUf0Z1T7uwS7ABadlAPIokvZ3aLmU5ahSJY7S
+pK/EV3vEG76FMCxxXOJTDIKfsHoS880JZWNjLTI1NTE5wpQEExYIADwCGwMFCwkIBwIDIgIBBhUK
+CQgLAgQWAgMBAh4DAheAFiEEIfxoJ0quO13jmkJ3zHhieJgbBygFAlxVr80ACgkQzHhieJgbByiU
+UAD+My3dFRRvnG3rclbocVytirRGsMBxgyxcBjveJmk+wRwBAOYpsfbUuTCgKVT1GtQlJhmcyVr+
+lB2A7F3v8+NEKlsKx8MGBGWKu+MBCADrrci5Yes25POd5AtX2fLQyJFiVfH6fRL9UrgmTGaHa7uZ
+hGaUhAjigKi7ZD4XEAVr3a9OvagiLmF/DyhRGtBFkmxtMQi0feqgOW0XY6+mLfghUKDgrvzP0B2y
+FhlA4VbtpWhJ8XUNSx5+Fg84H6DR597ELfo5vckQfXMQKR2XsWLV513aFVcnDx4QZVSLfTHmUNN4
+AKyY/MclO+vpWCpOaGvDcrXgxsjzqMuko7BpGd8I9+aAV8VOYruO49Wdv/PEok2+fAzmYwDcq0Uc
+o5y4cEKxeKUBvEaVssZMGqWZwMPhy90M8/hMr+oA1IMZImV/MKosVeCAS4dqL4WS2lbNABEBAAH+
+CQMINg2MvEJ8tybFzJappxxEV60vuiRlZ2WoFGJVwNfHEBGAs78iD7ZZThOpetdlVAzLGCnwbog1
+LGwzedB7T4s7oVgrZtVtdTat4Humeok8YljJZ/wpz4dAnTERP1bU0E+uBkiGcxMUjQ/lpbT+0mL6
+Zz/oZSQ+qwlm3WxWmN+K9YfmgO/77t0VrOeVrA9xXyH8/EnxRVAV2JmVHR4GRim3uijIkNSF6aIX
+wpsANlvlC7hnPy5znquTUS7kyyXwBE/ajyBRTEASpITVaTgcXYcOWkYMKpg6E9k1umCHAFDi1nEU
+I27w3ju1IAmfxkMjkXk0TSlGdXZeWWv7qyN8BDE25qpL1gRjcTgvec/oFkuV6dCXSZ6HlCL8r2mn
+I0T8BMR7pc581Alv8mVfkAdxGI3Jtb0Eg85z5BIxcn4UYpqOJQa5pcSr67pMEVQm+SobEogDIUR4
+Wp1CJqoIVaN6gOetx6nJZQZCmPw4Hw/HttakZX4cDKk3pOzYtZOXXYA21+laUoWum2nfX3IC1VKK
+Ci7qJVGtusrLLdKopOkBg/xOwrL6zqN4gtkLQs/dYBBX72KhH2121MkoOovdE3kobsgwxvnuMjVr
+7vCNxk8H11CnLc+Pz71z5L+nNnuDr6eJkpzsR5OGa/9HUPHWjnBRvw14f4CmOAuhcnmQeXxVtR8O
+Vk1imVlcRe5atST4O4Ie3ZEfqDY/mE1fMr0cvv4hcaoX98Oe+krLWkpABrF0sQOKOeqiO95a8nqG
+xcS/dGwoK2anfFiueWLgT3waSfgIgBup5KlfoV9/68IQlV8C8WLWq+zlmKJce3rzIaKtyqN/RrVh
+eGvWWxQD2a880ZyZ5+rjnu4yEluvEfuLnqC92AR1Z9V5NOCq3wepMUYiyx7+fhpzcoZx/jljPbR3
+QdPZFCkau/J081sPwn4EGBYIACYWIQQh/GgnSq47XeOaQnfMeGJ4mBsHKAUCZYq75AUJA8JnAAIb
+DAAKCRDMeGJ4mBsHKOWaAP4n9VVjJVfaP6u93+M6gu6xxxyrHvO/C1COuNM5O/oC7AEAyIC2CZOK
+z/oPFb4XXb9K9IFMmW8AsoHJgbKVzE6c9gvHhgRlirwDFgkrBgEEAdpHDwEBB0C8c/Z5jhqLKKja
+39fiaENXaS/QSFg/uVi3soP7xwsVPf4JAwg28w+7+7oyKcQgMOnU82KBCb2dX8KrVFbIeruyNepX
+ZAcFFr2UBT3Z3FKx7wLP1B4qm3w6Abst3f9Hr8S2pMIETX44WJkaCdb4Zu7oom5IwsA1BBgWCAAm
+FiEEIfxoJ0quO13jmkJ3zHhieJgbBygFAmWKvAMFCQPCZwACGwIAgQkQzHhieJgbByh2IAQZFggA
+HRYhBG0gfcwKwoHb/ChXhVc0NsIxrmM4BQJlirwDAAoJEFc0NsIxrmM4Sl4BAKZNuM4q2CNR0xtY
+OBI3XoYxAMDgcLjKNlXRz/jlHr9NAP4s/CslyoQu9hj2WChlLwEEutYtUWY+stbAUi9pW4yHDsUi
+AQCRUSL2WmjCIteNT1jC2oDyD7rqIlLW6kKaSS6xbZo2QwEAjMwIsEU066czOQwkzv/ftFhDKOcx
+gMXZMeceVrvq+wM=
+=rHQj
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/src/tests/ffi-key-sig.cpp b/src/tests/ffi-key-sig.cpp
@@ -1624,3 +1624,128 @@ TEST_F(rnp_tests, test_ffi_key_import_invalid_issuer)
 
     rnp_ffi_destroy(ffi);
 }
+
+TEST_F(rnp_tests, test_ffi_add_revoker_signature)
+{
+    rnp_ffi_t ffi = NULL;
+    assert_rnp_success(rnp_ffi_create(&ffi, "GPG", "GPG"));
+    assert_true(import_all_keys(ffi, "data/test_stream_key_load/ecc-25519-2subs-sec.asc"));
+    assert_true(import_pub_keys(ffi, "data/test_stream_key_load/ecc-p256-pub.asc"));
+    assert_true(import_pub_keys(ffi, "data/test_stream_key_load/ecc-p384-pub.asc"));
+    rnp_key_handle_t key = NULL;
+    /* Locate key and make sure it doesn't have designated revokers */
+    assert_rnp_success(rnp_locate_key(ffi, "userid", "ecc-25519", &key));
+    size_t count = 10;
+    assert_rnp_success(rnp_key_get_revoker_count(key, &count));
+    assert_int_equal(count, 0);
+    /* Add designated revoker */
+    rnp_key_handle_t revoker = NULL;
+    assert_rnp_success(rnp_locate_key(ffi, "userid", "ecc-p256", &revoker));
+    rnp_signature_handle_t newsig = NULL;
+    /* Create signature, including edge cases checks */
+    assert_rnp_failure(rnp_key_direct_signature_create(NULL, NULL, &newsig));
+    assert_rnp_failure(rnp_key_direct_signature_create(key, key, NULL));
+    assert_rnp_failure(rnp_key_direct_signature_create(revoker, key, &newsig));
+    assert_rnp_success(rnp_key_direct_signature_create(key, NULL, &newsig));
+    /* Set revoker, including edge cases */
+    assert_rnp_failure(rnp_key_signature_set_revoker(NULL, revoker, 0));
+    assert_rnp_failure(rnp_key_signature_set_revoker(newsig, NULL, 0));
+    assert_rnp_failure(rnp_key_signature_set_revoker(newsig, revoker, 0x33));
+    assert_rnp_success(rnp_key_signature_set_revoker(newsig, revoker, 0));
+    assert_rnp_success(rnp_key_signature_set_revoker(newsig, revoker, RNP_REVOKER_SENSITIVE));
+    /* Attempt to validate non-finished signature */
+    assert_rnp_failure(rnp_signature_is_valid(newsig, 0));
+    /* Populate signature */
+    assert_rnp_failure(rnp_key_signature_sign(NULL));
+    assert_int_equal(rnp_key_signature_sign(newsig), RNP_ERROR_BAD_PASSWORD);
+    rnp_ffi_set_pass_provider(ffi, ffi_string_password_provider, (void *) "wrong1");
+    assert_int_equal(rnp_key_signature_sign(newsig), RNP_ERROR_BAD_PASSWORD);
+    rnp_ffi_set_pass_provider(ffi, ffi_string_password_provider, (void *) "password");
+    assert_rnp_success(rnp_key_signature_sign(newsig));
+    /* Check signature and key properties */
+    char *revfp = NULL;
+    assert_rnp_success(rnp_signature_get_revoker(newsig, &revfp));
+    assert_string_equal(revfp, "B54FDEBBB673423A5D0AA54423674F21B2441527");
+    rnp_buffer_destroy(revfp);
+    assert_rnp_success(rnp_key_get_revoker_count(key, &count));
+    assert_int_equal(count, 1);
+    assert_rnp_success(rnp_key_get_revoker_at(key, 0, &revfp));
+    assert_string_equal(revfp, "B54FDEBBB673423A5D0AA54423674F21B2441527");
+    rnp_buffer_destroy(revfp);
+    assert_rnp_success(rnp_signature_is_valid(newsig, 0));
+    /* Attempt to sign already populated  signature */
+    assert_rnp_failure(rnp_key_signature_sign(newsig));
+    rnp_signature_handle_destroy(newsig);
+    /* Make sure that newly added signature is first of the key's signatures */
+    assert_rnp_success(rnp_key_get_signature_at(key, 0, &newsig));
+    assert_rnp_failure(rnp_key_signature_sign(newsig));
+    char *type = NULL;
+    assert_rnp_success(rnp_signature_get_type(newsig, &type));
+    assert_string_equal(type, "direct");
+    rnp_buffer_destroy(type);
+    assert_rnp_success(rnp_signature_get_revoker(newsig, &revfp));
+    assert_string_equal(revfp, "B54FDEBBB673423A5D0AA54423674F21B2441527");
+    rnp_buffer_destroy(revfp);
+    rnp_signature_handle_destroy(newsig);
+    /* Export key and make sure signature is exported */
+    auto keydata = export_key(key, true);
+    rnp_key_handle_destroy(key);
+    rnp_key_handle_destroy(revoker);
+    rnp_ffi_t newffi = NULL;
+    assert_rnp_success(rnp_ffi_create(&newffi, "GPG", "GPG"));
+    assert_true(import_all_keys(newffi, keydata.data(), keydata.size()));
+    assert_rnp_success(rnp_locate_key(newffi, "userid", "ecc-25519", &key));
+    assert_rnp_success(rnp_key_get_revoker_count(key, &count));
+    assert_int_equal(count, 1);
+    assert_rnp_success(rnp_key_get_revoker_at(key, 0, &revfp));
+    assert_string_equal(revfp, "B54FDEBBB673423A5D0AA54423674F21B2441527");
+    rnp_buffer_destroy(revfp);
+    assert_rnp_success(rnp_key_get_signature_at(key, 0, &newsig));
+    assert_rnp_success(rnp_signature_get_type(newsig, &type));
+    assert_string_equal(type, "direct");
+    rnp_buffer_destroy(type);
+    assert_rnp_success(rnp_signature_get_revoker(newsig, &revfp));
+    assert_string_equal(revfp, "B54FDEBBB673423A5D0AA54423674F21B2441527");
+    rnp_buffer_destroy(revfp);
+    rnp_signature_handle_destroy(newsig);
+    rnp_key_handle_destroy(key);
+    /* Reload keyrings and make sure data is saved */
+    assert_rnp_success(rnp_unload_keys(newffi, RNP_KEY_UNLOAD_PUBLIC | RNP_KEY_UNLOAD_SECRET));
+    rnp_ffi_destroy(newffi);
+    /* Add second designated revoker and make sure it works */
+    assert_rnp_success(rnp_locate_key(ffi, "userid", "ecc-25519", &key));
+    assert_rnp_success(rnp_locate_key(ffi, "userid", "ecc-p384", &revoker));
+    assert_rnp_success(rnp_key_direct_signature_create(key, NULL, &newsig));
+    assert_rnp_success(rnp_key_signature_set_revoker(newsig, revoker, 0));
+    assert_rnp_success(rnp_key_signature_sign(newsig));
+    assert_rnp_success(rnp_signature_get_revoker(newsig, &revfp));
+    assert_string_equal(revfp, "AB25CBA042DD924C3ACC3ED3242A3AA5EA85F44A");
+    rnp_buffer_destroy(revfp);
+    assert_rnp_success(rnp_key_get_revoker_count(key, &count));
+    assert_int_equal(count, 2);
+    assert_rnp_success(rnp_key_get_revoker_at(key, 0, &revfp));
+    assert_string_equal(revfp, "AB25CBA042DD924C3ACC3ED3242A3AA5EA85F44A");
+    rnp_buffer_destroy(revfp);
+    assert_rnp_success(rnp_signature_is_valid(newsig, 0));
+    rnp_signature_handle_destroy(newsig);
+    rnp_key_handle_destroy(key);
+    rnp_key_handle_destroy(revoker);
+    /* Attempt to add designatured revoker to subkey */
+    rnp_key_handle_t subkey = NULL;
+    assert_rnp_success(
+      rnp_locate_key(ffi, "fingerprint", "6D207DCC0AC281DBFC285785573436C231AE6338", &subkey));
+    assert_rnp_success(rnp_locate_key(ffi, "userid", "ecc-p384", &revoker));
+    assert_rnp_failure(rnp_key_direct_signature_create(subkey, NULL, &newsig));
+    rnp_key_handle_destroy(revoker);
+    /* Standard doesn't seem to answer whether subkey should be allowed here */
+    assert_rnp_success(rnp_locate_key(ffi, "userid", "ecc-25519", &key));
+    assert_rnp_success(rnp_key_direct_signature_create(key, NULL, &newsig));
+    assert_rnp_success(rnp_key_signature_set_revoker(newsig, subkey, 0));
+    assert_rnp_success(rnp_key_signature_sign(newsig));
+    rnp_signature_handle_destroy(newsig);
+    rnp_key_handle_destroy(key);
+    rnp_key_handle_destroy(subkey);
+    /* Check v5 key */
+
+    rnp_ffi_destroy(ffi);
+}