From f046cd0fca57c79ce1c0843b8703297f724b84f8 Mon Sep 17 00:00:00 2001
From: RisingOpsNinja <175097282+RisingOpsNinja@users.noreply.github.com.>
Date: Wed, 4 Sep 2024 11:37:31 +0200
Subject: [PATCH] Check subkeys

---
 backend/src/errors.rs | 5 ++++-
 backend/src/utils.rs  | 8 ++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/backend/src/errors.rs b/backend/src/errors.rs
index 77c6a30..fb1dcf8 100644
--- a/backend/src/errors.rs
+++ b/backend/src/errors.rs
@@ -44,7 +44,7 @@ pub enum SpecialErrors {
     ExpiredRequest,
     #[error("The key for the requested user does not exist!")]
     InexistingUser,
-    #[error("The key is either expired or uses an obsolete cipher!")]
+    #[error("The primary key is either expired or uses an obsolete cipher!")]
     InvalidCert,
     #[error("Error while sending email")]
     MailErr,
@@ -60,6 +60,8 @@ pub enum SpecialErrors {
     KeyNonExpiring,
     #[error("The primary keys or a subkeys validity is too long")]
     KeyValidityTooLong,
+    #[error("A subkey is either expired or uses an obsolete cipher!")]
+    KeyPolicyViolation,
 }
 
 #[derive(Debug)]
@@ -110,6 +112,7 @@ impl ResponseError for CompatErr {
                 SpecialErrors::UnallowedDomain => StatusCode::UNAUTHORIZED,
                 SpecialErrors::KeyNonExpiring => StatusCode::BAD_REQUEST,
                 SpecialErrors::KeyValidityTooLong => StatusCode::BAD_REQUEST,
+                SpecialErrors::KeyPolicyViolation => StatusCode::BAD_REQUEST,
             },
         }
     }
diff --git a/backend/src/utils.rs b/backend/src/utils.rs
index cd2238a..a2043bc 100644
--- a/backend/src/utils.rs
+++ b/backend/src/utils.rs
@@ -17,6 +17,7 @@ use log::debug;
 use log::error;
 use rand::{distributions::Alphanumeric, thread_rng, Rng};
 use sequoia_openpgp::cert::ValidCert;
+use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation;
 use sequoia_openpgp::serialize::Marshal;
 use sequoia_openpgp::types::HashAlgorithm;
 use sequoia_openpgp::{parse::Parse, Cert};
@@ -32,6 +33,13 @@ pub fn validate_cert(cert: &Cert) -> Result<ValidCert> {
         Err(_) => Err(SpecialErrors::InvalidCert)?,
     };
 
+    for key in cert.keys().subkeys() {
+        match log_err!(key.with_policy(&*POLICY, None), debug) {
+            Ok(_) => continue,
+            Err(_) => Err(SpecialErrors::KeyPolicyViolation)?,
+        }
+    }
+
     if let Some(policy_settings) = &SETTINGS.policy {
         if let Some(max_validity_setting) = policy_settings.key_max_validity {
             let max_validity = Duration::from_secs(max_validity_setting);