From d9df76ea2504a78865209cda3ae6e41613d5e5aa Mon Sep 17 00:00:00 2001
From: Ruben Pollan <meskio@sindominio.net>
Date: Thu, 30 Oct 2014 21:54:32 -0600
Subject: Merge keys when updating an exisiting key

This is needed to prevent roll back attacks where the attacker push us
to accept a key with an old expiration date that could be use to push an
untrusted key when after it's expiration.
---
 src/leap/keymanager/openpgp.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/leap/keymanager/openpgp.py')

diff --git a/src/leap/keymanager/openpgp.py b/src/leap/keymanager/openpgp.py
index e84cd29..f86b35d 100644
--- a/src/leap/keymanager/openpgp.py
+++ b/src/leap/keymanager/openpgp.py
@@ -37,6 +37,8 @@ from leap.keymanager.keys import (
     build_key_from_dict,
     KEYMANAGER_KEY_TAG,
     TAGS_ADDRESS_PRIVATE_INDEX,
+    KEY_FINGERPRINT_KEY,
+    KEY_DATA_KEY,
 )
 from leap.keymanager.validation import ValidationLevel
 
@@ -394,6 +396,16 @@ class OpenPGPScheme(EncryptionScheme):
         if doc is None:
             self._soledad.create_doc_from_json(key.get_json())
         else:
+            if key.fingerprint == doc.content[KEY_FINGERPRINT_KEY]:
+                # in case of an update of the key merge them with gnupg
+                with self._temporary_gpgwrapper() as gpg:
+                    gpg.import_keys(doc.content[KEY_DATA_KEY])
+                    gpg.import_keys(key.key_data)
+                    gpgkey = gpg.list_keys(secret=key.private).pop()
+                    key = _build_key_from_gpg(
+                        key.address, gpgkey,
+                        gpg.export_keys(gpgkey['fingerprint'],
+                                        secret=key.private))
             doc.set_json(key.get_json())
             self._soledad.put_doc(doc)
 
-- 
cgit v1.2.3