def test_sign_and_encrypt_double_secret(self):
"We want to produce as many signatures as possible"
recv = DirectoryContext(homedir=self.key_receiver_homedir)
params = """<GnupgKeyParms format="internal">
%transient-key
Key-Type: RSA
Key-Length: 1024
Name-Real: Joe Genkey Tester
Name-Comment: with stupid passphrase
Name-Email: [email protected]
%no-protection
#Passphrase: Crypt0R0cks
#Expire-Date: 2020-12-31
</GnupgKeyParms>
"""
recv.op_genkey(params, None, None)
gen_result = recv.op_genkey_result()
assert_equal(2, len(list(recv.keylist(secret=True))))
sender = DirectoryContext(homedir=self.key_sender_homedir)
sender.set_keylist_mode(gpg.constants.KEYLIST_MODE_SIGS)
sender_keys = list(sender.keylist())
assert_equal(1, len(sender_keys))
sender_key = sender_keys[0]
fpr = sender_key.fpr
sink = gpg.Data()
sender.op_export_keys(sender_keys, 0, sink)
sink.seek(0, 0)
public_sender_key = sink.read()
# Now finally call the function under test
uid_encrypted = list(
sign_keydata_and_encrypt(public_sender_key,
error_cb=None,
homedir=self.key_receiver_homedir))
assert_equals(len(sender_key.uids), len(uid_encrypted))
uids_before = sender.get_key(fpr).uids
sigs_before = [
s for l in get_signatures_for_uids_on_key(
sender, sender_key).values() for s in l
]
for uid, uid_enc in zip(uids_before, uid_encrypted):
uid_enc_str = uid_enc[0].uid
log.info("Uid enc str: %r", uid_enc_str)
log.info("Uid name: %r", uid.name)
# FIXME: assert_equals(uid, uid_enc[0])
# It's a bit weird to re-use the string treatment here.
# But gpgme may return unencodable bytes (and uid, here, is
# coming straight from gpgme). We opted for our UID wrapper
# to return consumable strings, i.e. safe to encode
assert_in(to_valid_utf8_string(uid.name), uid_enc_str)
assert_in(to_valid_utf8_string(uid.email), uid_enc_str)
ciphertext = uid_enc[1]
log.debug("Decrypting %r", ciphertext)
plaintext, result, vrfy = sender.decrypt(ciphertext)
log.debug("Decrypt Result: %r", result)
sender.op_import(plaintext)
import_result = sender.op_import_result()
log.debug("Import Result: %r", import_result)
# Here is the important check for two new signatures
assert_equals(2, import_result.new_signatures)
updated_key = sender.get_key(fpr)
log.debug("updated key: %r", updated_key)
log.debug("updated key sigs: %r",
[(uid, uid.signatures) for uid in updated_key.uids])
sigs_after = [
s for l in get_signatures_for_uids_on_key(
sender, sender_key).values() for s in l
]
assert_greater(len(sigs_after), len(sigs_before))
def test_third_party_key(self):
"""This test tries to trick the receiver by sending
an unrelated key of a third party.
The receiver must not import that key.
"""
THIRD_PARTY_KEY = "third_party.pgp.asc"
self.third_party_key = get_fixture_file(THIRD_PARTY_KEY)
self.key_third_party_homedir = tempfile.mkdtemp()
third_party_gpgcmd = ["gpg", "--homedir={}".format(self.key_third_party_homedir)]
check_call(third_party_gpgcmd + ["--import", self.third_party_key])
keydata = open(self.third_party_key, "rb").read()
public_third_party_key = export_public_key(keydata)
# The "sender" sends its certificate via the app and then receives the email with the certification
public_sender_key = export_public_key(open(self.key_sender_key, 'rb'))
sender = DirectoryContext(homedir=self.key_sender_homedir)
before = list(sender.keylist())
third_party = DirectoryContext(homedir=self.key_third_party_homedir)
third_party.op_import(public_sender_key)
result = third_party.op_import_result()
if result.considered != 1 and result.imported != 1:
raise ValueError("Expected to load exactly one key. %r", result)
else:
imports = result.imports
assert len(imports) == 1, "Imported %d instead of 1" % len(imports)
fpr = result.imports[0].fpr
target_key = third_party.get_key(fpr)
ciphertext, _, _ = third_party.encrypt(
plaintext=public_third_party_key,
recipients=[target_key],
always_trust=True,
sign=False,
)
# Now we have transferred the ciphertext to the victim
plaintext, result, vrfy = sender.decrypt(ciphertext)
log.debug("Decrypt Result: %r", result)
result = assert_raises(ImportNewCertificationError,
import_signature,
plaintext,
homedir=self.key_sender_homedir)
log.debug("Import result: %s", result)
after = list(sender.keylist())
assert_equal(len(before), len(after))
def test_sign_and_encrypt_double_secret(self):
"We want to produce as many signatures as possible"
recv = DirectoryContext(homedir=self.key_receiver_homedir)
params = """<GnupgKeyParms format="internal">
%transient-key
Key-Type: RSA
Key-Length: 1024
Name-Real: Joe Genkey Tester
Name-Comment: with stupid passphrase
Name-Email: [email protected]
%no-protection
#Passphrase: Crypt0R0cks
#Expire-Date: 2020-12-31
</GnupgKeyParms>
"""
recv.op_genkey(params, None, None)
gen_result = recv.op_genkey_result()
assert_equal(2, len(list(recv.keylist(secret=True))))
sender = DirectoryContext(homedir=self.key_sender_homedir)
sender.set_keylist_mode(gpg.constants.KEYLIST_MODE_SIGS)
sender_keys = list(sender.keylist())
assert_equal(1, len(sender_keys))
sender_key = sender_keys[0]
fpr = sender_key.fpr
sink = gpg.Data()
sender.op_export_keys(sender_keys, 0, sink)
sink.seek(0, 0)
public_sender_key = sink.read()
# Now finally call the function under test
uid_encrypted = list(
sign_keydata_and_encrypt(public_sender_key,
error_cb=None,
homedir=self.key_receiver_homedir))
assert_equals(len(sender_key.uids), len(uid_encrypted))
uids_before = sender.get_key(fpr).uids
sigs = [uid.signatures for uid in uids_before]
sigs_before = [sig for signatures in sigs for sig in signatures]
for uid, uid_enc in zip(uids_before, uid_encrypted):
# FIXME: assert_equals(uid, uid_enc[0])
assert_in(uid.name, uid_enc[0].uid)
assert_in(uid.email, uid_enc[0].uid)
ciphertext = uid_enc[1]
log.debug("Decrypting %r", ciphertext)
plaintext, result, vrfy = sender.decrypt(ciphertext)
log.debug("Decrypt Result: %r", result)
sender.op_import(plaintext)
import_result = sender.op_import_result()
log.debug("Import Result: %r", import_result)
# Here is the important check for two new signatures
assert_equals(2, import_result.new_signatures)
updated_key = sender.get_key(fpr)
log.debug("updated key: %r", updated_key)
log.debug("updated key sigs: %r",
[(uid, uid.signatures) for uid in updated_key.uids])
uids_after = sender.get_key(fpr).uids
sigs = [uid.signatures for uid in uids_after]
sigs_after = [sig for signatures in sigs for sig in signatures]
assert_greater(len(sigs_after), len(sigs_before))
def test_sign_and_encrypt_double_secret(self):
"We want to produce as many signatures as possible"
recv = DirectoryContext(homedir=self.key_receiver_homedir)
params = """<GnupgKeyParms format="internal">
%transient-key
Key-Type: RSA
Key-Length: 1024
Name-Real: Joe Genkey Tester
Name-Comment: with stupid passphrase
Name-Email: [email protected]
%no-protection
#Passphrase: Crypt0R0cks
#Expire-Date: 2020-12-31
</GnupgKeyParms>
"""
recv.op_genkey(params, None, None)
gen_result = recv.op_genkey_result()
assert_equal(2, len(list(recv.keylist(secret=True))))
sender = DirectoryContext(homedir=self.key_sender_homedir)
sender.set_keylist_mode(gpg.constants.KEYLIST_MODE_SIGS)
sender_keys = list(sender.keylist())
assert_equal(1, len(sender_keys))
sender_key = sender_keys[0]
fpr = sender_key.fpr
sink = gpg.Data()
sender.op_export_keys(sender_keys, 0, sink)
sink.seek(0, 0)
public_sender_key = sink.read()
# Now finally call the function under test
uid_encrypted = list(sign_keydata_and_encrypt(public_sender_key,
error_cb=None, homedir=self.key_receiver_homedir))
assert_equals(len(sender_key.uids), len(uid_encrypted))
uids_before = sender.get_key(fpr).uids
sigs = [uid.signatures for uid in uids_before]
sigs_before = [sig for signatures in sigs for sig in signatures]
for uid, uid_enc in zip(uids_before, uid_encrypted):
# FIXME: assert_equals(uid, uid_enc[0])
assert_in(uid.name, uid_enc[0].uid)
assert_in(uid.email, uid_enc[0].uid)
ciphertext = uid_enc[1]
log.debug("Decrypting %r", ciphertext)
plaintext, result, vrfy = sender.decrypt(ciphertext)
log.debug("Decrypt Result: %r", result)
sender.op_import(plaintext)
import_result = sender.op_import_result()
log.debug("Import Result: %r", import_result)
# Here is the important check for two new signatures
assert_equals(2, import_result.new_signatures)
updated_key = sender.get_key(fpr)
log.debug("updated key: %r", updated_key)
log.debug("updated key sigs: %r", [(uid, uid.signatures) for uid in updated_key.uids])
uids_after = sender.get_key(fpr).uids
sigs = [uid.signatures for uid in uids_after]
sigs_after = [sig for signatures in sigs for sig in signatures]
assert_greater(len(sigs_after), len(sigs_before))