diff --git a/tests/openpgp/gpg-agent.conf.tmpl b/tests/openpgp/gpg-agent.conf.tmpl index b3cb54f09..70e163317 100644 --- a/tests/openpgp/gpg-agent.conf.tmpl +++ b/tests/openpgp/gpg-agent.conf.tmpl @@ -1,4 +1,2 @@ allow-preset-passphrase no-grab - - diff --git a/tests/openpgp/tofu.scm b/tests/openpgp/tofu.scm index 24fa9df02..38b6a0f0f 100755 --- a/tests/openpgp/tofu.scm +++ b/tests/openpgp/tofu.scm @@ -1,165 +1,167 @@ #!/usr/bin/env gpgscm ;; Copyright (C) 2016 g10 Code GmbH ;; ;; This file is part of GnuPG. ;; ;; GnuPG is free software; you can redistribute it and/or modify ;; it under the terms of the GNU General Public License as published by ;; the Free Software Foundation; either version 3 of the License, or ;; (at your option) any later version. ;; ;; GnuPG is distributed in the hope that it will be useful, ;; but WITHOUT ANY WARRANTY; without even the implied warranty of ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;; GNU General Public License for more details. ;; ;; You should have received a copy of the GNU General Public License ;; along with this program; if not, see . (load (with-path "defs.scm")) -(define GPG `(,(tool 'gpg) --no-permission-warning)) ;; w/o --always-trust + ;; Redefine GPG without --always-trust and a fixed time. +(define GPG `(,(tool 'gpg) --no-permission-warning + --faked-system-time=1466684990)) (define GNUPGHOME (getenv "GNUPGHOME")) (if (string=? "" GNUPGHOME) (error "GNUPGHOME not set")) (catch (skip "Tofu not supported") (call-check `(,@GPG --trust-model=tofu --list-config))) (define KEYS '("2183839A" "BC15C85A" "EE37CF96")) ;; Import the test keys. (call-check `(,@GPG --import ,(in-srcdir "tofu-keys.asc"))) ;; Make sure the keys are imported. (for-each (lambda (keyid) (catch (error "Missing key" keyid) (call-check `(,@GPG --list-keys ,keyid)))) KEYS) ;; Get tofu policy for KEYID. Any remaining arguments are simply ;; passed to GPG. ;; ;; This function only supports keys with a single user id. (define (getpolicy keyid format . args) (let ((policy (list-ref (assoc "uid" (gpg-with-colons `(--tofu-db-format ,format --trust-model=tofu ,@args --list-keys ,keyid))) 17))) (unless (member policy '("auto" "good" "unknown" "bad" "ask")) (error "Bad policy:" policy)) policy)) ;; Check that KEYID's tofu policy matches EXPECTED-POLICY. Any ;; remaining arguments are simply passed to GPG. ;; ;; This function only supports keys with a single user id. (define (checkpolicy keyid format expected-policy . args) (let ((policy (apply getpolicy `(,keyid ,format ,@args)))) (unless (string=? policy expected-policy) (error keyid ": Expected policy to be" expected-policy "but got" policy)))) ;; Get the trust level for KEYID. Any remaining arguments are simply ;; passed to GPG. ;; ;; This function only supports keys with a single user id. (define (gettrust keyid format . args) (let ((trust (list-ref (assoc "pub" (gpg-with-colons `(--tofu-db-format ,format --trust-model=tofu ,@args --list-keys ,keyid))) 1))) (unless (and (= 1 (string-length trust)) (member (string-ref trust 0) (string->list "oidreqnmfuws-"))) (error "Bad trust value:" trust)) trust)) ;; Check that KEYID's trust level matches EXPECTED-TRUST. Any ;; remaining arguments are simply passed to GPG. ;; ;; This function only supports keys with a single user id. (define (checktrust keyid format expected-trust . args) (let ((trust (apply gettrust `(,keyid ,format ,@args)))) (unless (string=? trust expected-trust) (error keyid ": Expected trust to be" expected-trust "but got" trust)))) ;; Set key KEYID's policy to POLICY. Any remaining arguments are ;; passed as options to gpg. (define (setpolicy keyid format policy . args) (call-check `(,@GPG --tofu-db-format ,format --trust-model=tofu ,@args --tofu-policy ,policy ,keyid))) (for-each-p "Testing tofu db formats" (lambda (format) ;; Carefully remove the TOFU db. (catch '() (unlink (string-append GNUPGHOME "/tofu.db"))) (catch '() (unlink-recursively (string-append GNUPGHOME "/tofu.d"))) ;; Verify a message. There should be no conflict and the trust ;; policy should be set to auto. (call-check `(,@GPG --tofu-db-format ,format --trust-model=tofu --verify ,(in-srcdir "tofu-2183839A-1.txt"))) (checkpolicy "2183839A" format "auto") ;; Check default trust. (checktrust "2183839A" format "m") ;; Trust should be derived lazily. Thus, if the policy is set to ;; auto and we change --tofu-default-policy, then the trust should ;; change as well. Try it. (checktrust "2183839A" format "f" '--tofu-default-policy=good) (checktrust "2183839A" format "-" '--tofu-default-policy=unknown) (checktrust "2183839A" format "n" '--tofu-default-policy=bad) ;; Change the policy to something other than auto and make sure the ;; policy and the trust are correct. (for-each-p "" (lambda (policy) (let ((expected-trust (cond ((string=? "good" policy) "f") ((string=? "unknown" policy) "-") (else "n")))) (setpolicy "2183839A" format policy) ;; Since we have a fixed policy, the trust level shouldn't ;; change if we change the default policy. (for-each-p "" (lambda (default-policy) (checkpolicy "2183839A" format policy '--tofu-default-policy default-policy) (checktrust "2183839A" format expected-trust '--tofu-default-policy default-policy)) '("auto" "good" "unknown" "bad" "ask")))) '("good" "unknown" "bad")) ;; BC15C85A conflicts with 2183839A. On conflict, this will set ;; BC15C85A to ask. If 2183839A is auto (it's not, it's bad), then ;; it will be set to ask. (call-check `(,@GPG --tofu-db-format ,format --trust-model=tofu --verify ,(in-srcdir "tofu-BC15C85A-1.txt"))) (checkpolicy "BC15C85A" format "ask") (checkpolicy "2183839A" format "bad") ;; EE37CF96 conflicts with 2183839A and BC15C85A. We change ;; BC15C85A's policy to auto and leave 2183839A's policy at bad. ;; This conflict should cause BC15C85A's policy to be changed to ;; ask (since it is auto), but not affect 2183839A's policy. (setpolicy "BC15C85A" format "auto") (checkpolicy "BC15C85A" format "auto") (call-check `(,@GPG --tofu-db-format ,format --trust-model=tofu --verify ,(in-srcdir "tofu-EE37CF96-1.txt"))) (checkpolicy "BC15C85A" format "ask") (checkpolicy "2183839A" format "bad") (checkpolicy "EE37CF96" format "ask")) '("split" "flat")) diff --git a/tests/openpgp/tofu.test b/tests/openpgp/tofu.test index 18c17562c..0d34af409 100755 --- a/tests/openpgp/tofu.test +++ b/tests/openpgp/tofu.test @@ -1,245 +1,248 @@ #!/bin/sh . $srcdir/defs.inc || exit 3 # set -x +# Redefine GPG with a fixed time. +GPG="$GPG --faked-system-time=1466684990" + KEYS="2183839A BC15C85A EE37CF96" # Make sure $srcdir is set. if test "x$srcdir" = x then echo srcdir environment variable not set! exit 1 fi # Make sure $GNUPGHOME is set. if test "x$GNUPGHOME" = x then echo "GNUPGHOME not set." exit 1 fi # Import the test keys. $GPG --import $srcdir/tofu-keys.asc # Make sure the keys are imported. for k in $KEYS do if ! $GPG --list-keys $k >/dev/null 2>&1 then echo Missing key $k exit 1 fi done format=auto debug() { echo "$@" >&2 } debug_exec() { debug "Running GNUPGHOME=$GNUPGHOME $@" ${@:+"$@"} } # $1 is the keyid of the policy to lookup. Any remaining arguments # are simply passed to GPG. # # This function only supports keys with a single user id. getpolicy() { keyid=$1 if test x$keyid = x then echo No keyid supplied! exit 1 fi shift policy=$(debug_exec $GPG --tofu-db-format=$format --trust-model=tofu \ --with-colons $@ --list-keys "$keyid" \ | awk -F: '/^uid:/ { print $18 }') if test $(echo "$policy" | wc -l) -ne 1 then echo "Got: $policy" >&2 echo "error" else case $policy in auto|good|unknown|bad|ask) echo $policy ;; *) echo "error" ;; esac fi } # $1 is the key id # $2 is the expected policy # The rest are additional options to pass to gpg. checkpolicy() { debug debug "checkpolicy($@)" keyid=$1 shift expected_policy=$1 shift policy=$(getpolicy "$keyid" ${@:+"$@"}) if test "x$policy" != "x$expected_policy" then echo "$keyid: Expected policy to be \`$expected_policy', but got \`$policy'." exit 1 fi } # $1 is the keyid of the trust level to lookup. Any remaining # arguments are simply passed to GPG. # # This function only supports keys with a single user id. gettrust() { keyid=$1 if test x$keyid = x then echo No keyid supplied! exit 1 fi shift trust=$(debug_exec $GPG --tofu-db-format=$format --trust-model=tofu \ --with-colons $@ --list-keys "$keyid" \ | awk -F: '/^pub:/ { print $2 }') if test $(echo "$trust" | wc -l) -ne 1 then echo "error" else case $trust in [oidreqnmfuws-]) echo $trust ;; *) echo "Bad trust value: $trust" >&2; echo "error" ;; esac fi } # $1 is the key id # $2 is the expected trust level # The rest are additional options to pass to gpg. checktrust() { debug debug "checktrust($@)" keyid=$1 shift expected_trust=$1 shift trust=$(gettrust "$keyid" ${@:+"$@"}) if test "x$trust" != "x$expected_trust" then echo "$keyid: Expected trust to be \`$expected_trust', but got \`$trust'." exit 1 fi } # Set key $1's policy to $2. Any remaining arguments are passed as # options to gpg. setpolicy() { debug debug "setpolicy($@)" keyid=$1 shift policy=$1 shift debug_exec $GPG --tofu-db-format=$format \ --trust-model=tofu ${@:+"$@"} --tofu-policy $policy $keyid } for format in split flat do debug debug "Testing with db format $format" # Carefully remove the TOFU db. test -e $GNUPGHOME/tofu.db && rm $GNUPGHOME/tofu.db test -e $GNUPGHOME/tofu.d/email && rm -r $GNUPGHOME/tofu.d/email test -e $GNUPGHOME/tofu.d/key && rm -r $GNUPGHOME/tofu.d/key # This will fail if the directory is not empty. test -e $GNUPGHOME/tofu.d && rmdir $GNUPGHOME/tofu.d # Verify a message. There should be no conflict and the trust policy # should be set to auto. debug_exec $GPG --tofu-db-format=$format --trust-model=tofu \ --verify $srcdir/tofu-2183839A-1.txt checkpolicy 2183839A auto trust=$(gettrust 2183839A) debug "default trust = $trust" if test "x$trust" != xm then echo "Wrong default trust. Got: \`$trust', expected \`m'" exit 1 fi # Trust should be derived lazily. Thus, if the policy is set to auto # and we change --tofu-default-policy, then the trust should change as # well. Try it. checktrust 2183839A f --tofu-default-policy=good checktrust 2183839A - --tofu-default-policy=unknown checktrust 2183839A n --tofu-default-policy=bad # Change the policy to something other than auto and make sure the # policy and the trust are correct. for policy in good unknown bad do if test $policy = good then expected_trust='f' elif test $policy = unknown then expected_trust='-' else expected_trust='n' fi debug debug "Setting TOFU policy to $policy" setpolicy 2183839A $policy # Since we have a fixed policy, the trust level shouldn't # change if we change the default policy. for default_policy in auto good unknown bad ask do checkpolicy 2183839A $policy --tofu-default-policy=$default_policy checktrust 2183839A $expected_trust \ --tofu-default-policy=$default_policy done done # BC15C85A conflicts with 2183839A. On conflict, this will set # BC15C85A to ask. If 2183839A is auto (it's not, it's bad), then # it will be set to ask. debug_exec $GPG --tofu-db-format=$format --trust-model=tofu \ --verify $srcdir/tofu-BC15C85A-1.txt checkpolicy BC15C85A ask checkpolicy 2183839A bad # EE37CF96 conflicts with 2183839A and BC15C85A. We change # BC15C85A's policy to auto and leave 2183839A's policy at bad. # This conflict should cause BC15C85A's policy to be changed to # ask (since it is auto), but not affect 2183839A's policy. setpolicy BC15C85A auto checkpolicy BC15C85A auto debug_exec $GPG --tofu-db-format=$format --trust-model=tofu \ --verify $srcdir/tofu-EE37CF96-1.txt checkpolicy BC15C85A ask checkpolicy 2183839A bad checkpolicy EE37CF96 ask done exit 0