From 026de868a3f301abea2671dfd7d858e73f3bb755 Mon Sep 17 00:00:00 2001 From: NavaL Date: Tue, 29 Nov 2016 19:28:52 +0100 Subject: [feat] expired public key are remotely fetched if expired - private key is not allowed to be fetched remotely - fetch_remote needs to be specifically set - if a new key is fetched (ie different KeyID), the validation rule applies --- src/leap/bitmask/keymanager/__init__.py | 5 +++-- src/leap/bitmask/keymanager/keys.py | 2 +- src/leap/bitmask/keymanager/openpgp.py | 2 +- tests/integration/keymanager/test_keymanager.py | 7 ++++--- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/leap/bitmask/keymanager/__init__.py b/src/leap/bitmask/keymanager/__init__.py index 6eeaecc9..2014524f 100644 --- a/src/leap/bitmask/keymanager/__init__.py +++ b/src/leap/bitmask/keymanager/__init__.py @@ -210,7 +210,7 @@ class KeyManager(object): @defer.inlineCallbacks def get_inactive_private_keys(self): """ - Return all inactive private keys bound to address, that can are + Return all inactive private keys bound to address, that are stored locally. This can be used to attempt decryption from multiple keys. @@ -494,7 +494,8 @@ class KeyManager(object): """ Decrypt data using private key from address and verify with public key bound to verify address. If the decryption using the active private - key fails, then decription using the inactive key, if any, is tried. + key fails, then decryption with inactive keys, if any, is recursively + tried. :param data: The data to be decrypted. :type data: str diff --git a/src/leap/bitmask/keymanager/keys.py b/src/leap/bitmask/keymanager/keys.py index 4a3aa403..6c0c64ff 100644 --- a/src/leap/bitmask/keymanager/keys.py +++ b/src/leap/bitmask/keymanager/keys.py @@ -330,7 +330,7 @@ class OpenPGPKey(object): def needs_renewal(self, pre_expiration_threshold=DEFAULT_THRESHOLD): """ Indicates if the key is inside the renewal period. For ease of - transition keys should be renewed before they expire. + transition keys should be renewed/extended before they expire. :param pre_expiration_threshold: the amount of days before expiry date whereby the key should be renewed -- default value is 60 days diff --git a/src/leap/bitmask/keymanager/openpgp.py b/src/leap/bitmask/keymanager/openpgp.py index a856ee06..984e1e68 100644 --- a/src/leap/bitmask/keymanager/openpgp.py +++ b/src/leap/bitmask/keymanager/openpgp.py @@ -590,7 +590,7 @@ class OpenPGPScheme(object): Reset sign_used flag for all keys in storage, to False... to indicate that the key pair has not interacted with all keys in the key ring yet. - This should only be used when regenerating the key pair. + This should only be used when regenerating/extending the key pair. """ all_keys = yield self.get_all_keys(private=False) diff --git a/tests/integration/keymanager/test_keymanager.py b/tests/integration/keymanager/test_keymanager.py index d8772191..cacdc704 100644 --- a/tests/integration/keymanager/test_keymanager.py +++ b/tests/integration/keymanager/test_keymanager.py @@ -55,7 +55,7 @@ from common import ( DIFFERENT_PRIVATE_KEY, DIFFERENT_KEY_FPR, DIFFERENT_PUBLIC_KEY, -) + KEY_EXPIRING_CREATION_DATE) NICKSERVER_URI = "http://leap.se/" REMOTE_KEY_URL = "http://site.domain/key" @@ -658,14 +658,15 @@ class KeyManagerKeyManagementTestCase(KeyManagerWithSoledadTestCase): km = self._key_manager(user=ADDRESS_EXPIRING) yield km._openpgp.put_raw_key(PRIVATE_EXPIRING_KEY, ADDRESS_EXPIRING) - key = yield km.get_key(ADDRESS_EXPIRING) + key = yield km.get_key(ADDRESS_EXPIRING, fetch_remote=False) yield km.extend_key_expiration(validity='1w') new_expiry_date = datetime.strptime( KEY_EXPIRING_CREATION_DATE, '%Y-%m-%d') new_expiry_date += timedelta(weeks=1) - renewed_public_key = yield km.get_key(ADDRESS_EXPIRING) + renewed_public_key = yield km.get_key(ADDRESS_EXPIRING, + fetch_remote=False) renewed_private_key = yield km.get_key(ADDRESS_EXPIRING, private=True) self.assertEqual(new_expiry_date.date(), -- cgit v1.2.3