MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Better verification of PGP keys 

- checks whether the key can be used to encrypt and whether it's expired
pull/727/head
iglocska 2015-11-11 17:03:59 +01:00
parent 6baa3bea00
commit 675ceb2e0e
2 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION.json
View File

@ -1 +1 @@
{"major":2, "minor":3, "hotfix":155}
{"major":2, "minor":3, "hotfix":156}

36
app/Model/User.php
View File

@ -372,21 +372,43 @@ class User extends AppModel {
)));
}
public function verifyGPG() {
public function verifyGPG($id = false) {
require_once 'Crypt/GPG.php';
$this->Behaviors->detach('Trim');
$results = array();
$conditions = array('not' => array('gpgkey' => ''));
if ($id !== false) $conditions['User.id'] = $id;
$users = $this->find('all', array(
'conditions' => array('not' => array('gpgkey' => '')),
//'fields' => array('id', 'email', 'gpgkey'),
'conditions' => $conditions,
'recursive' => -1,
));
if (empty($users)) return results;
$currentTimestamp = time();
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'binary' => (Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg')));
foreach ($users as $k => $user) {
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'binary' => (Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg')));
try {
$key = $gpg->importKey($user['User']['gpgkey']);
$gpg->addEncryptKey($key['fingerprint']); // use the key that was given in the import
$enc = $gpg->encrypt('test', true);
$temp = $gpg->importKey($user['User']['gpgkey']);
$key = $gpg->getKeys($temp['fingerprint']);
$subKeys = $key[0]->getSubKeys();
$sortedKeys = array('valid' => 0, 'expired' => 0, 'noEncrypt' => 0);
foreach ($subKeys as $subKey) {
$issue = false;
if ($currentTimestamp > $subKey->getExpirationDate()) {
$sortedKeys['expired']++;
continue;
}
if (!$subKey->canEncrypt()) {
$sortedKeys['noEncrypt']++;
continue;
}
$sortedKeys['valid']++;
}
if (!$sortedKeys['valid']) {
$results[$user['User']['id']][2] = 'The user\'s PGP key does not include a valid subkey that could be used for encryption.';
if ($sortedKeys['expired']) $results[$user['User']['id']][2] .= ' Found ' . $sortedKeys['expired'] . ' subkey(s) that have expired.';
if ($sortedKeys['noEncrypt']) $results[$user['User']['id']][2] .= ' Found ' . $sortedKeys['noEncrypt'] . ' subkey(s) that are sign only.';
$results[$user['User']['id']][0] = true;
}
} catch (Exception $e){
$results[$user['User']['id']][2] = $e->getMessage();
$results[$user['User']['id']][0] = true;