summaryrefslogtreecommitdiff
path: root/src/leap/bitmask/keymanager/validation.py
blob: 16a897e997b23e5b0612299d22c93cf91223964c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# -*- coding: utf-8 -*-
# __init__.py
# Copyright (C) 2014 LEAP
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

"""
Validation levels implementation for key managment.

See:
    https://leap.se/en/docs/design/transitional-key-validation
"""


from datetime import datetime


class ValidationLevel(object):
    """
    A validation level

    Meant to be used to compare levels or get its string representation.
    """
    def __init__(self, name, value):
        self.name = name
        self.value = value

    def __cmp__(self, other):
        return cmp(self.value, other.value)

    def __str__(self):
        return self.name

    def __repr__(self):
        return "<ValidationLevel: %s (%d)>" % (self.name, self.value)


class _ValidationLevels(object):
    """
    Handler class to manage validation levels. It should have only one global
    instance 'ValidationLevels'.

    The levels are attributes of the instance and can be used like:
       ValidationLevels.Weak_Chain
       ValidationLevels.get("Weak_Chain")
    """
    _level_names = ("Weak_Chain",
                    "Provider_Trust",
                    "Provider_Endorsement",
                    "Third_Party_Endorsement",
                    "Third_Party_Consensus",
                    "Historically_Auditing",
                    "Known_Key",
                    "Fingerprint")

    def __init__(self):
        for name in self._level_names:
            setattr(self, name,
                    ValidationLevel(name, self._level_names.index(name)))

    def get(self, name):
        """
        Get the ValidationLevel of a name

        :param name: name of the level
        :type name: str
        :rtype: ValidationLevel
        """
        return getattr(self, name)

    def __iter__(self):
        return iter(self._level_names)


ValidationLevels = _ValidationLevels()


def can_upgrade(new_key, old_key):
    """
    :type new_key: EncryptionKey
    :type old_key: EncryptionKey
    :rtype: bool
    """
    # First contact
    if old_key is None:
        return True

    # An update of the same key
    if new_key.fingerprint == old_key.fingerprint:
        return True

    # Manually verified fingerprint
    if new_key.validation == ValidationLevels.Fingerprint:
        return True

    # Expired key and higher validation level
    if (old_key.expiry_date is not None and
            old_key.expiry_date < datetime.now() and
            new_key.validation >= old_key.validation):
        return True

    # No expiration date and higher validation level
    if (old_key.expiry_date is None and
            new_key.validation > old_key.validation):
        return True

    # Not successfully used and strict high validation level
    if (not (old_key.sign_used and old_key.encr_used) and
            new_key.validation > old_key.validation):
        return True

    # New key signed by the old key
    # XXX: signatures are using key-ids instead of fingerprints
    key_id = old_key.fingerprint[-16:]
    if key_id in new_key.signatures:
        return True

    return False