Check subkeys

backend/src/errors.rs

@@ -44,7 +44,7 @@ pub enum SpecialErrors {
     ExpiredRequest,
     #[error("The key for the requested user does not exist!")]
     InexistingUser,
-    #[error("The key is either expired or uses an obsolete cipher!")]
+    #[error("The primary key is either expired or uses an obsolete cipher!")]
     InvalidCert,
     #[error("Error while sending email")]
     MailErr,
@@ -60,6 +60,8 @@ pub enum SpecialErrors {
     KeyNonExpiring,
     #[error("The primary keys or a subkeys validity is too long")]
     KeyValidityTooLong,
+    #[error("A subkey is either expired or uses an obsolete cipher!")]
+    KeyPolicyViolation,
 }
 
 #[derive(Debug)]
@@ -110,6 +112,7 @@ impl ResponseError for CompatErr {
                 SpecialErrors::UnallowedDomain => StatusCode::UNAUTHORIZED,
                 SpecialErrors::KeyNonExpiring => StatusCode::BAD_REQUEST,
                 SpecialErrors::KeyValidityTooLong => StatusCode::BAD_REQUEST,
+                SpecialErrors::KeyPolicyViolation => StatusCode::BAD_REQUEST,
             },
         }
     }

backend/src/utils.rs

@@ -17,6 +17,7 @@ use log::debug;
 use log::error;
 use rand::{distributions::Alphanumeric, thread_rng, Rng};
 use sequoia_openpgp::cert::ValidCert;
+use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation;
 use sequoia_openpgp::serialize::Marshal;
 use sequoia_openpgp::types::HashAlgorithm;
 use sequoia_openpgp::{parse::Parse, Cert};
@@ -32,6 +33,13 @@ pub fn validate_cert(cert: &Cert) -> Result<ValidCert> {
         Err(_) => Err(SpecialErrors::InvalidCert)?,
     };
 
+    for key in cert.keys().subkeys() {
+        match log_err!(key.with_policy(&*POLICY, None), debug) {
+            Ok(_) => continue,
+            Err(_) => Err(SpecialErrors::KeyPolicyViolation)?,
+        }
+    }
+
     if let Some(policy_settings) = &SETTINGS.policy {
         if let Some(max_validity_setting) = policy_settings.key_max_validity {
             let max_validity = Duration::from_secs(max_validity_setting);