mirror of
https://git.verdigado.com/NB-Public/simple-wkd.git
synced 2024-10-30 09:05:52 +01:00
Add optional verification of maximum allowed key validity period
This commit is contained in:
parent
711d626aa9
commit
850868e60a
3 changed files with 37 additions and 2 deletions
|
@ -56,6 +56,10 @@ pub enum SpecialErrors {
|
|||
MissingFile,
|
||||
#[error("User email rejected: domain not allowed")]
|
||||
UnallowedDomain,
|
||||
#[error("The primary key or a subkey does not expire")]
|
||||
KeyNonExpiring,
|
||||
#[error("The primary keys or a subkeys validity is too long")]
|
||||
KeyValidityTooLong,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
|
@ -104,6 +108,8 @@ impl ResponseError for CompatErr {
|
|||
SpecialErrors::MalformedEmail => StatusCode::BAD_REQUEST,
|
||||
SpecialErrors::MissingFile => StatusCode::NOT_FOUND,
|
||||
SpecialErrors::UnallowedDomain => StatusCode::UNAUTHORIZED,
|
||||
SpecialErrors::KeyNonExpiring => StatusCode::BAD_REQUEST,
|
||||
SpecialErrors::KeyValidityTooLong => StatusCode::BAD_REQUEST,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,6 +18,7 @@ pub struct Settings {
|
|||
pub bind_host: String,
|
||||
pub external_url: Url,
|
||||
pub mail_settings: MailSettings,
|
||||
pub policy: Option<Policy>,
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
|
@ -31,6 +32,11 @@ pub struct MailSettings {
|
|||
pub mail_subject: String,
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
pub struct Policy {
|
||||
pub key_max_validity: Option<u64>,
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
pub enum Variant {
|
||||
Advanced,
|
||||
|
|
|
@ -22,14 +22,37 @@ use sequoia_openpgp::{parse::Parse, Cert};
|
|||
use std::{
|
||||
fs,
|
||||
path::{Path, PathBuf},
|
||||
time::Duration,
|
||||
};
|
||||
|
||||
pub fn validate_cert(cert: &Cert) -> Result<ValidCert> {
|
||||
match log_err!(cert.with_policy(crate::settings::POLICY, None), debug) {
|
||||
Ok(validcert) => Ok(validcert),
|
||||
let validcert = match log_err!(cert.with_policy(crate::settings::POLICY, None), debug) {
|
||||
Ok(validcert) => validcert,
|
||||
Err(_) => Err(SpecialErrors::InvalidCert)?,
|
||||
};
|
||||
|
||||
if let Some(policy_settings) = &SETTINGS.policy {
|
||||
if let Some(max_validity_setting) = policy_settings.key_max_validity {
|
||||
let max_validity = Duration::from_secs(max_validity_setting);
|
||||
|
||||
if !max_validity.is_zero() {
|
||||
for key in validcert.keys() {
|
||||
let validity = key.key_validity_period();
|
||||
|
||||
if validity.is_none() {
|
||||
debug!("Certificate was rejected: The primary key or a subkey has validity period of zero");
|
||||
return Err(SpecialErrors::KeyNonExpiring)?
|
||||
} else if validity > Some(max_validity) {
|
||||
debug!("Certificate was rejected: The primary key or a subkey has a validity period greater than {max_validity_setting} seconds");
|
||||
return Err(SpecialErrors::KeyValidityTooLong)?
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Ok(validcert)
|
||||
}
|
||||
|
||||
pub fn encode_local(local: &str) -> String {
|
||||
let mut digest = vec![0; 20];
|
||||
|
|
Loading…
Reference in a new issue