From d9df76ea2504a78865209cda3ae6e41613d5e5aa Mon Sep 17 00:00:00 2001
From: Ruben Pollan <meskio@sindominio.net>
Date: Thu, 30 Oct 2014 21:54:32 -0600
Subject: Merge keys when updating an exisiting key

This is needed to prevent roll back attacks where the attacker push us
to accept a key with an old expiration date that could be use to push an
untrusted key when after it's expiration.
---
 src/leap/keymanager/openpgp.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/leap/keymanager/openpgp.py')

diff --git a/src/leap/keymanager/openpgp.py b/src/leap/keymanager/openpgp.py
index e84cd29..f86b35d 100644
--- a/src/leap/keymanager/openpgp.py
+++ b/src/leap/keymanager/openpgp.py
@@ -37,6 +37,8 @@ from leap.keymanager.keys import (
     build_key_from_dict,
     KEYMANAGER_KEY_TAG,
     TAGS_ADDRESS_PRIVATE_INDEX,
+    KEY_FINGERPRINT_KEY,
+    KEY_DATA_KEY,
 )
 from leap.keymanager.validation import ValidationLevel
 
@@ -394,6 +396,16 @@ class OpenPGPScheme(EncryptionScheme):
         if doc is None:
             self._soledad.create_doc_from_json(key.get_json())
         else:
+            if key.fingerprint == doc.content[KEY_FINGERPRINT_KEY]:
+                # in case of an update of the key merge them with gnupg
+                with self._temporary_gpgwrapper() as gpg:
+                    gpg.import_keys(doc.content[KEY_DATA_KEY])
+                    gpg.import_keys(key.key_data)
+                    gpgkey = gpg.list_keys(secret=key.private).pop()
+                    key = _build_key_from_gpg(
+                        key.address, gpgkey,
+                        gpg.export_keys(gpgkey['fingerprint'],
+                                        secret=key.private))
             doc.set_json(key.get_json())
             self._soledad.put_doc(doc)
 
-- 
cgit v1.2.3


From c223cca848e854d0015314ef517a6a4f928a2d0a Mon Sep 17 00:00:00 2001
From: Ruben Pollan <meskio@sindominio.net>
Date: Tue, 4 Nov 2014 11:53:56 -0600
Subject: Use datetime for key expiration

---
 src/leap/keymanager/openpgp.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/leap/keymanager/openpgp.py')

diff --git a/src/leap/keymanager/openpgp.py b/src/leap/keymanager/openpgp.py
index f86b35d..d3c305e 100644
--- a/src/leap/keymanager/openpgp.py
+++ b/src/leap/keymanager/openpgp.py
@@ -25,6 +25,7 @@ import tempfile
 import io
 
 
+from datetime import datetime
 from gnupg import GPG
 from gnupg.gnupg import GPGUtilities
 
@@ -178,6 +179,10 @@ def _build_key_from_gpg(address, key, key_data):
     :return: An instance of the key.
     :rtype: OpenPGPKey
     """
+    expiry_date = None
+    if key['expires']:
+        expiry_date = datetime.fromtimestamp(int(key['expires']))
+
     return OpenPGPKey(
         address,
         key_id=key['keyid'],
@@ -185,7 +190,7 @@ def _build_key_from_gpg(address, key, key_data):
         key_data=key_data,
         private=True if key['type'] == 'sec' else False,
         length=key['length'],
-        expiry_date=key['expires'],
+        expiry_date=expiry_date,
         validation=ValidationLevel.Weak_Chain,
     )
 
-- 
cgit v1.2.3