voa_openpgp/

lib.rs

#![doc = include_str!("../README.md")]

mod cert;
mod error;
mod voa;

pub mod import;
pub mod lookup;
mod signature;

use std::{fs::read, path::Path};

pub use error::Error;
pub use import::OpenPgpImport;
use log::{debug, error, info, warn};
use pgp::types::KeyDetails;

use crate::lookup::VerifierLookup;
pub use crate::{
    cert::OpenpgpCert,
    signature::{OpenpgpSignature, OpenpgpSignatureCheck, SignerInfo},
    voa::VoaOpenpgp,
};

/// File name suffix for verifiers in the VOA "openpgp" technology
pub(crate) const FILE_SUFFIX: &str = ".openpgp";

/// Creates a representative string for logging from an [`OpenpgpSignature`].
///
/// The returned string is of the form "fingerprint (file)" where "fingerprint" is the
/// list of issuer fingerprints of the signature and "file" is the optional path of a file from
/// which the OpenPGP signature has been read.
fn log_sig_data(signature: &OpenpgpSignature) -> String {
    format!(
        "{}{}",
        signature
            .detached
            .signature
            .issuer_fingerprint()
            .iter()
            .map(|fingerprint| fingerprint.to_string())
            .collect::<Vec<String>>()
            .join(", "),
        if let Some(path) = signature.source() {
            format!(" ({})", path.to_string_lossy())
        } else {
            "".to_string()
        }
    )
}

/// Creates a representative string for logging from an [`OpenpgpCert`].
///
/// The returned string is of the form "fingerprint (verifier)" where "fingerprint" is the
/// primary key fingerprint of the certificate and "verifier" is a list of one or more verifier
/// locations from which the certificate has been assembled.
fn log_cert_data(cert: &OpenpgpCert) -> String {
    format!(
        "{} ({})",
        cert.fingerprint(),
        cert.sources
            .iter()
            .map(|verifier| verifier.canonicalized().to_string_lossy().to_string())
            .collect::<Vec<_>>()
            .join(",")
    )
}

/// Verifies one or more `signatures` for a `signed_file` with one or more `certs`.
///
/// All `signatures` are used to check the data in `signed_file`.
/// For each signature, all `certs` are considered for finding a matching component key for signing.
///
/// The return value is a list of tuples, one entry for each signature (in order).
/// Signatures that could not be positively verified have a `None` entry.
/// Successfully verified signatures have a `Some` entry with a tuple of a signature, certificate
/// and the fingerprint of the component key which verified the data in `signed_file`.
///
/// # Note
///
/// Does not consider OpenPGP signatures with an unset creation time and instead emits a warning for
/// them.
///
/// # Errors
///
/// Returns an error, if the `signed_file` cannot be read.
pub fn verify_from_file<'a>(
    signed_file: impl AsRef<Path>,
    lookup: &'a VerifierLookup,
    signatures: &'a [OpenpgpSignature],
) -> Result<Vec<OpenpgpSignatureCheck<'a>>, Error> {
    let signed_file = signed_file.as_ref();
    let mut result = Vec::new();

    // We load the signed payload into memory (for now)
    let data = read(signed_file).map_err(|source| Error::IoPath {
        path: signed_file.into(),
        source,
        context: "reading signed_file",
    })?;

    'sigs: for signature in signatures {
        let log_sig_data = log_sig_data(signature);
        info!("Verifying OpenPGP signature ({log_sig_data}) for file {signed_file:?}");

        let verifiers = lookup.get_matching_verifiers(signature);
        debug!("Found {} candidate verifiers", verifiers.len());

        for (verifier, cert) in &verifiers {
            let component_fp = format!("{:02x?}", verifier.as_componentkey().fingerprint());
            let log_cert_data = log_cert_data(cert);

            // Cryptographic signature check of the payload against the verifier public key material
            if let Err(error) = verifier.verify(&signature.detached.signature, &data) {
                // A signature that doesn't verify as cryptographically correct with a verifier
                // that `VerifierLookup::get_matching_verifiers` selected is a very irregular
                // situation. So we log it at the "error" level.
                //
                // Ideally, a human should investigate what's going on there.
                error!(
                    "Signature verification error for {log_sig_data} for file {signed_file:?} with component key {component_fp} in OpenPGP certificate {log_cert_data}: {error}"
                );
                continue; // try next verifier, if any
            }

            info!(
                "Successfully verified OpenPGP signature {log_sig_data} for file {signed_file:?} with component key {component_fp} in OpenPGP certificate {log_cert_data}"
            );

            result.push(OpenpgpSignatureCheck::new(
                signature,
                Some(SignerInfo::new(cert, component_fp)),
            ));

            continue 'sigs; // We're done with this signature and can move to the next one
        }

        warn!(
            "Signature {log_sig_data} and file {signed_file:?} could not be verified (tried {} candidate verifiers)",
            verifiers.len()
        );
        result.push(OpenpgpSignatureCheck::new(signature, None));
    }

    Ok(result)
}