mirror of https://github.com/MISP/MISP
Better verification of PGP keys
- checks whether the key can be used to encrypt and whether it's expiredpull/727/head
parent
6baa3bea00
commit
675ceb2e0e
|
@ -1 +1 @@
|
|||
{"major":2, "minor":3, "hotfix":155}
|
||||
{"major":2, "minor":3, "hotfix":156}
|
||||
|
|
|
@ -372,21 +372,43 @@ class User extends AppModel {
|
|||
)));
|
||||
}
|
||||
|
||||
public function verifyGPG() {
|
||||
public function verifyGPG($id = false) {
|
||||
require_once 'Crypt/GPG.php';
|
||||
$this->Behaviors->detach('Trim');
|
||||
$results = array();
|
||||
$conditions = array('not' => array('gpgkey' => ''));
|
||||
if ($id !== false) $conditions['User.id'] = $id;
|
||||
$users = $this->find('all', array(
|
||||
'conditions' => array('not' => array('gpgkey' => '')),
|
||||
//'fields' => array('id', 'email', 'gpgkey'),
|
||||
'conditions' => $conditions,
|
||||
'recursive' => -1,
|
||||
));
|
||||
if (empty($users)) return results;
|
||||
$currentTimestamp = time();
|
||||
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'binary' => (Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg')));
|
||||
foreach ($users as $k => $user) {
|
||||
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'binary' => (Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg')));
|
||||
try {
|
||||
$key = $gpg->importKey($user['User']['gpgkey']);
|
||||
$gpg->addEncryptKey($key['fingerprint']); // use the key that was given in the import
|
||||
$enc = $gpg->encrypt('test', true);
|
||||
$temp = $gpg->importKey($user['User']['gpgkey']);
|
||||
$key = $gpg->getKeys($temp['fingerprint']);
|
||||
$subKeys = $key[0]->getSubKeys();
|
||||
$sortedKeys = array('valid' => 0, 'expired' => 0, 'noEncrypt' => 0);
|
||||
foreach ($subKeys as $subKey) {
|
||||
$issue = false;
|
||||
if ($currentTimestamp > $subKey->getExpirationDate()) {
|
||||
$sortedKeys['expired']++;
|
||||
continue;
|
||||
}
|
||||
if (!$subKey->canEncrypt()) {
|
||||
$sortedKeys['noEncrypt']++;
|
||||
continue;
|
||||
}
|
||||
$sortedKeys['valid']++;
|
||||
}
|
||||
if (!$sortedKeys['valid']) {
|
||||
$results[$user['User']['id']][2] = 'The user\'s PGP key does not include a valid subkey that could be used for encryption.';
|
||||
if ($sortedKeys['expired']) $results[$user['User']['id']][2] .= ' Found ' . $sortedKeys['expired'] . ' subkey(s) that have expired.';
|
||||
if ($sortedKeys['noEncrypt']) $results[$user['User']['id']][2] .= ' Found ' . $sortedKeys['noEncrypt'] . ' subkey(s) that are sign only.';
|
||||
$results[$user['User']['id']][0] = true;
|
||||
}
|
||||
} catch (Exception $e){
|
||||
$results[$user['User']['id']][2] = $e->getMessage();
|
||||
$results[$user['User']['id']][0] = true;
|
||||
|
|
Loading…
Reference in New Issue