diff --git a/backend/src/errors.rs b/backend/src/errors.rs index 77c6a30..fb1dcf8 100644 --- a/backend/src/errors.rs +++ b/backend/src/errors.rs @@ -44,7 +44,7 @@ pub enum SpecialErrors { ExpiredRequest, #[error("The key for the requested user does not exist!")] InexistingUser, - #[error("The key is either expired or uses an obsolete cipher!")] + #[error("The primary key is either expired or uses an obsolete cipher!")] InvalidCert, #[error("Error while sending email")] MailErr, @@ -60,6 +60,8 @@ pub enum SpecialErrors { KeyNonExpiring, #[error("The primary keys or a subkeys validity is too long")] KeyValidityTooLong, + #[error("A subkey is either expired or uses an obsolete cipher!")] + KeyPolicyViolation, } #[derive(Debug)] @@ -110,6 +112,7 @@ impl ResponseError for CompatErr { SpecialErrors::UnallowedDomain => StatusCode::UNAUTHORIZED, SpecialErrors::KeyNonExpiring => StatusCode::BAD_REQUEST, SpecialErrors::KeyValidityTooLong => StatusCode::BAD_REQUEST, + SpecialErrors::KeyPolicyViolation => StatusCode::BAD_REQUEST, }, } } diff --git a/backend/src/utils.rs b/backend/src/utils.rs index cd2238a..a2043bc 100644 --- a/backend/src/utils.rs +++ b/backend/src/utils.rs @@ -17,6 +17,7 @@ use log::debug; use log::error; use rand::{distributions::Alphanumeric, thread_rng, Rng}; use sequoia_openpgp::cert::ValidCert; +use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation; use sequoia_openpgp::serialize::Marshal; use sequoia_openpgp::types::HashAlgorithm; use sequoia_openpgp::{parse::Parse, Cert}; @@ -32,6 +33,13 @@ pub fn validate_cert(cert: &Cert) -> Result { Err(_) => Err(SpecialErrors::InvalidCert)?, }; + for key in cert.keys().subkeys() { + match log_err!(key.with_policy(&*POLICY, None), debug) { + Ok(_) => continue, + Err(_) => Err(SpecialErrors::KeyPolicyViolation)?, + } + } + if let Some(policy_settings) = &SETTINGS.policy { if let Some(max_validity_setting) = policy_settings.key_max_validity { let max_validity = Duration::from_secs(max_validity_setting);