ENGINE-112: #comment Fixed empty fpr problems in stored identities which occurred due to blacklisting. When adding other keys, we now check to see if there is a matching identity entry which lacks an fpr and, if so, we update it instead of adding a new one. Also fixed elect_pubkey NOT to return blacklisted pubkeys.

7 years ago · 64906852a6
parent f8459df7c1
commit 64906852a6
4 changed files with 149 additions and 12 deletions
--- a/src/keymanagement.c
+++ b/src/keymanagement.c
@ -49,8 +49,12 @@ PEP_STATUS elect_pubkey(
            if (identity->comm_type == PEP_ct_unknown ||
                _comm_type_key > identity->comm_type)
            {
-                identity->comm_type = _comm_type_key;
-                _fpr = _keylist->value;
+                bool blacklisted;
+                status = blacklist_is_listed(session, _keylist->value, &blacklisted);
+                if (status == PEP_STATUS_OK && !blacklisted) {
+                    identity->comm_type = _comm_type_key;
+                    _fpr = _keylist->value;
+                }
            }
        }
    }
--- a/src/pEpEngine.c
+++ b/src/pEpEngine.c
@ -32,6 +32,8 @@ DYNAMIC_API PEP_STATUS init(PEP_SESSION *session)
    static const char *sql_get_device_group;
    static const char *sql_set_pgp_keypair;
    static const char *sql_set_identity;
+    static const char *sql_exists_empty_fpr_entry;
+    static const char *sql_update_fprless_identity;
    static const char *sql_set_identity_flags;
    static const char *sql_set_trust;
    static const char *sql_get_trust;
@ -46,7 +48,7 @@ DYNAMIC_API PEP_STATUS init(PEP_SESSION *session)
    static const char *sql_blacklist_delete;
    static const char *sql_blacklist_is_listed;
    static const char *sql_blacklist_retrieve;
-
+    
    // Own keys
    static const char *sql_own_key_is_listed;
    static const char *sql_own_identities_retrieve;
@ -334,6 +336,13 @@ DYNAMIC_API PEP_STATUS init(PEP_SESSION *session)
        sql_set_identity = "insert or replace into identity (address, main_key_id, "
                           "user_id, flags) values (?1, upper(replace(?2,' ','')),"
                           "?3, ?4 & 255) ;";
+        
+        sql_exists_empty_fpr_entry = "select count(*) from identity where address = ?1 and user_id = ?2 "
+                                        "and (main_key_id is null or main_key_id = '');";
+                
+        sql_update_fprless_identity = "update identity set main_key_id = upper(replace(?2,' ','')), "
+                                         "flags = ?4 & 255 where address = ?1 and user_id = ?3 and "
+                                         "(main_key_id is null or main_key_id = '');";

        sql_set_identity_flags = "update identity set flags = ?1 & 255 "
                                 "where address = ?2 and user_id = ?3 ;";
@ -367,7 +376,7 @@ DYNAMIC_API PEP_STATUS init(PEP_SESSION *session)
        sql_blacklist_is_listed = "select count(*) from blacklist_keys where fpr = upper(replace(?1,' ','')) ;";

        sql_blacklist_retrieve = "select * from blacklist_keys ;";
-        
+                
        // Own keys
        
        sql_own_key_is_listed =
@ -439,6 +448,16 @@ DYNAMIC_API PEP_STATUS init(PEP_SESSION *session)
            (int)strlen(sql_set_identity), &_session->set_identity, NULL);
    assert(int_result == SQLITE_OK);

+    int_result = sqlite3_prepare_v2(_session->db, sql_exists_empty_fpr_entry,
+                                    (int)strlen(sql_exists_empty_fpr_entry), &_session->exists_empty_fpr_entry,
+                                    NULL);
+    assert(int_result == SQLITE_OK);
+    
+    int_result = sqlite3_prepare_v2(_session->db, sql_update_fprless_identity,
+                                    (int)strlen(sql_update_fprless_identity), &_session->update_fprless_identity,
+                                    NULL);
+    assert(int_result == SQLITE_OK);
+    
    int_result = sqlite3_prepare_v2(_session->db, sql_set_identity_flags,
            (int)strlen(sql_set_identity_flags), &_session->set_identity_flags,
            NULL);
@ -493,7 +512,7 @@ DYNAMIC_API PEP_STATUS init(PEP_SESSION *session)
            (int)strlen(sql_blacklist_retrieve), &_session->blacklist_retrieve,
            NULL);
    assert(int_result == SQLITE_OK);
-
+    
    // Own keys
    
    int_result = sqlite3_prepare_v2(_session->db, sql_own_key_is_listed,
@ -995,6 +1014,47 @@ DYNAMIC_API PEP_STATUS get_identity(
    return status;
 }

+
+static PEP_STATUS exists_empty_fpr_entry (
+    PEP_SESSION session,
+    const char* address,
+    const char* user_id,
+    bool *exists_empty_fpr
+)
+{
+    PEP_STATUS status = PEP_STATUS_OK;
+    int count;
+    
+    assert(session && address && user_id && exists_empty_fpr);
+    
+    if (!(session && address && user_id && exists_empty_fpr))
+        return PEP_ILLEGAL_VALUE;
+    
+    *exists_empty_fpr = false;
+    
+    sqlite3_reset(session->exists_empty_fpr_entry);
+    sqlite3_bind_text(session->exists_empty_fpr_entry, 1, address, -1, SQLITE_STATIC);
+    sqlite3_bind_text(session->exists_empty_fpr_entry, 2, user_id, -1, SQLITE_STATIC);
+    
+    int result;
+    
+    result = sqlite3_step(session->exists_empty_fpr_entry);
+    switch (result) {
+        case SQLITE_ROW:
+            count = sqlite3_column_int(session->exists_empty_fpr_entry, 0);
+            *exists_empty_fpr = count > 0;
+            status = PEP_STATUS_OK;
+            break;
+            
+        default:
+            status = PEP_UNKNOWN_ERROR;
+    }
+    
+    sqlite3_reset(session->exists_empty_fpr_entry);
+    return status;
+}
+
+
 DYNAMIC_API PEP_STATUS set_identity(
        PEP_SESSION session, const pEp_identity *identity
    )
@ -1012,8 +1072,11 @@ DYNAMIC_API PEP_STATUS set_identity(
        return PEP_ILLEGAL_VALUE;

    bool listed;
+    bool exists_empty_fpr;
    
    if (identity->fpr && identity->fpr[0] != '\0') {
+        
+        // blacklist check
        PEP_STATUS status = blacklist_is_listed(session, identity->fpr, &listed);
        assert(status == PEP_STATUS_OK);
        if (status != PEP_STATUS_OK)
@ -1021,6 +1084,13 @@ DYNAMIC_API PEP_STATUS set_identity(

        if (listed)
            return PEP_KEY_BLACKLISTED;
+        
+        // empty fpr already in DB
+        status = exists_empty_fpr_entry(session, identity->address,
+                                           identity->user_id, &exists_empty_fpr);
+        if (status != PEP_STATUS_OK)
+            return status;
+        
    }

    sqlite3_exec(session->db, "BEGIN ;", NULL, NULL, NULL);
@ -1060,16 +1130,19 @@ DYNAMIC_API PEP_STATUS set_identity(
        return PEP_CANNOT_SET_PGP_KEYPAIR;
    }

-    sqlite3_reset(session->set_identity);
-    sqlite3_bind_text(session->set_identity, 1, identity->address, -1,
+    sqlite3_stmt *update_or_set_identity = 
+        (exists_empty_fpr ? session->update_fprless_identity : session->set_identity);
+    
+    sqlite3_reset(update_or_set_identity);
+    sqlite3_bind_text(update_or_set_identity, 1, identity->address, -1,
            SQLITE_STATIC);
-    sqlite3_bind_text(session->set_identity, 2, identity->fpr, -1,
+    sqlite3_bind_text(update_or_set_identity, 2, identity->fpr, -1,
            SQLITE_STATIC);
-    sqlite3_bind_text(session->set_identity, 3, identity->user_id, -1,
+    sqlite3_bind_text(update_or_set_identity, 3, identity->user_id, -1,
            SQLITE_STATIC);
-    sqlite3_bind_int(session->set_identity, 4, identity->flags);
-    result = sqlite3_step(session->set_identity);
-    sqlite3_reset(session->set_identity);
+    sqlite3_bind_int(update_or_set_identity, 4, identity->flags);
+    result = sqlite3_step(update_or_set_identity);
+    sqlite3_reset(update_or_set_identity);
    if (result != SQLITE_DONE) {
        sqlite3_exec(session->db, "ROLLBACK ;", NULL, NULL, NULL);
        return PEP_CANNOT_SET_IDENTITY;
--- a/src/pEp_internal.h
+++ b/src/pEp_internal.h
@ -99,6 +99,8 @@ typedef struct _pEpSession {
    sqlite3_stmt *get_device_group;
    sqlite3_stmt *set_pgp_keypair;
    sqlite3_stmt *set_identity;
+    sqlite3_stmt *exists_empty_fpr_entry;
+    sqlite3_stmt *update_fprless_identity;
    sqlite3_stmt *set_identity_flags;
    sqlite3_stmt *set_trust;
    sqlite3_stmt *get_trust;
--- a/test/blacklist_test.cc
+++ b/test/blacklist_test.cc
@ -1,8 +1,11 @@
 #include <iostream>
+#include <iostream>
+#include <fstream>
 #include <string>
 #include <cstring> // for strcmp()
 #include <assert.h>
 #include "blacklist.h"
+#include "keymanagement.h"

 using namespace std;

@ -56,6 +59,61 @@ int main() {
    assert(!listed);
    cout << "23 is not listed any more.\n";

+    cout << "blacklist only key for identity / unblacklist key / add key" << endl;
+    
+    // 2797 65A2 FEB5 B7C7 31B8  61D9 3E4C EFD9 F7AF 4684 - this is the blacklisted key in blacklisted_pub.asc
+
+    /* read the key into memory */
+    ifstream infile("blacklisted_pub.asc");
+    string keytext;
+    while (!infile.eof()) {
+        static string line;
+        getline(infile, line);
+        keytext += line + "\n";
+    }
+    infile.close(); 
+    
+    /* FIXME: put in automated test stuff (N.B. only gdb mem examination to this point to get
+     *        fix in */
+    /* import it into pep */
+    PEP_STATUS status7 = import_key(session, keytext.c_str(), keytext.length(), NULL);
+    
+    const char* bl_fpr_1 = "279765A2FEB5B7C731B861D93E4CEFD9F7AF4684";
+    const char* bl_fpr_2 = "634FAC4417E9B2A5DC2BD4AAC4AEEBBE7E62701B";
+    bool is_blacklisted = false;
+    
+    pEp_identity* blacklisted_identity = new_identity("blacklistedkeys@kgrothoff.org",
+                                                      bl_fpr_1,
+                                                      NULL,
+                                                      "Blacklist Keypair");
+    PEP_STATUS status8 = update_identity(session, blacklisted_identity);
+
+    PEP_STATUS status9 = blacklist_add(session, bl_fpr_1);
+    PEP_STATUS status10 = blacklist_is_listed(session, bl_fpr_1, &is_blacklisted);
+    PEP_STATUS status11 = update_identity(session, blacklisted_identity);
+
+    /* read the key into memory */
+    ifstream infile2("blacklisted_pub2.asc");
+    string keytext2;
+    while (!infile2.eof()) {
+        static string line2;
+        getline(infile2, line2);
+        keytext2 += line2 + "\n";
+    }
+    infile2.close(); 
+    
+    PEP_STATUS status14 = import_key(session, keytext.c_str(), keytext.length(), NULL);
+    
+    pEp_identity* blacklisted_identity2 = new_identity("blacklistedkeys@kgrothoff.org",
+                                                       bl_fpr_2,
+                                                        NULL,
+                                                       "Blacklist Keypair");
+    PEP_STATUS status15 = update_identity(session, blacklisted_identity2);
+    PEP_STATUS status12 = blacklist_delete(session, bl_fpr_1);
+    PEP_STATUS status13 = update_identity(session, blacklisted_identity);
+    
+    /* FIXME: remove both keys again from everywhere and clean up identities */
+    
    cout << "calling release()\n";
    release(session);
    return 0;