From d5aba3257cb9ab0d0022afe01be9a7b3a7c26130 Mon Sep 17 00:00:00 2001
From: Tankred Hase <mail@tankredhase.de>
Date: Fri, 10 Jun 2016 14:37:39 +0200
Subject: [PATCH] Verifiy user id signatures

---
 src/service/pgp.js | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/src/service/pgp.js b/src/service/pgp.js
index 1066006..86ae518 100644
--- a/src/service/pgp.js
+++ b/src/service/pgp.js
@@ -47,21 +47,35 @@ class PGP {
       util.throw(400, 'Invalid PGP key: only one key can be uploaded');
     }
 
-    let key = {
-      keyId: r.keys[0].primaryKey.getKeyId().toHex(),
-      fingerprint: r.keys[0].primaryKey.fingerprint,
-      userIds: this.parseUserIds(r.keys[0].getUserIds()),
-      created: r.keys[0].primaryKey.created,
-      algorithm: r.keys[0].primaryKey.algorithm,
-      keySize: r.keys[0].primaryKey.getBitSize(),
+    let key = r.keys[0];
+    let primaryKey = key.primaryKey;
+
+    // public key document that is stored in the database
+    let keyDoc = {
+      keyId: primaryKey.getKeyId().toHex(),
+      fingerprint: primaryKey.fingerprint,
+      userIds: this.parseUserIds(key.getUserIds()),
+      created: primaryKey.created,
+      algorithm: primaryKey.algorithm,
+      keySize: primaryKey.getBitSize(),
       publicKeyArmored
     };
 
-    if (!util.isKeyId(key.keyId) || !util.isFingerPrint(key.fingerprint)) {
+    // accept version 4 keys only
+    if (!util.isKeyId(keyDoc.keyId) || !util.isFingerPrint(keyDoc.fingerprint)) {
       util.throw(400, 'Invalid PGP key: only v4 keys are accepted');
     }
 
-    return key;
+    // verify user id signatures
+    for (let user of key.users) {
+      for (let cert of user.selfCertifications) {
+        if (!user.isValidSelfCertificate(primaryKey, cert)) {
+          util.throw(400, 'Invalid PGP key: invalid user id signatures');
+        }
+      }
+    }
+
+    return keyDoc;
   }
 
   /**