canonicalize: simplify import with info from canonicalization

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java

@@ -177,7 +177,7 @@ public class ProviderHelper {
         return getGenericData(KeyRings.buildUnifiedKeyRingUri(masterKeyId), proj, types);
     }
 
-    private LongSparseArray<WrappedPublicKey> getAllWrappedMasterKeys() {
+    private LongSparseArray<WrappedPublicKey> getTrustedMasterKeys() {
         Cursor cursor = mContentResolver.query(KeyRings.buildUnifiedKeyRingsUri(), new String[] {
                 KeyRings.MASTER_KEY_ID,
                 // we pick from cache only information that is not easily available from keyrings
@@ -361,12 +361,6 @@ public class ProviderHelper {
 
                     Date creation = key.getCreationTime();
                     values.put(Keys.CREATION, creation.getTime() / 1000);
-                    if (creation.after(new Date())) {
-                        log(LogLevel.ERROR, LogType.MSG_IP_SUBKEY_FUTURE, new String[]{
-                                creation.toString()
-                        });
-                        return new SaveKeyringResult(SaveKeyringResult.RESULT_ERROR, mLog);
-                    }
                     Date expiryDate = key.getExpiryTime();
                     if (expiryDate != null) {
                         values.put(Keys.EXPIRY, expiryDate.getTime() / 1000);
@@ -389,7 +383,7 @@ public class ProviderHelper {
             mIndent -= 1;
 
             // get a list of owned secret keys, for verification filtering
-            LongSparseArray<WrappedPublicKey> trustedKeys = getAllWrappedMasterKeys();
+            LongSparseArray<WrappedPublicKey> trustedKeys = getTrustedMasterKeys();
 
             // classify and order user ids. primary are moved to the front, revoked to the back,
             // otherwise the order in the keyfile is preserved.
@@ -415,34 +409,16 @@ public class ProviderHelper {
                     try {
                         // self signature
                         if (certId == masterKeyId) {
-                            cert.init(masterKey);
-                            if (!cert.verifySignature(masterKey, userId)) {
-                                // Bad self certification? That's kinda bad...
-                                log(LogLevel.ERROR, LogType.MSG_IP_UID_SELF_BAD);
-                                return new SaveKeyringResult(SaveKeyringResult.RESULT_ERROR, mLog);
-                            }
 
-                            // if we already have a cert..
+                            // NOTE self-certificates are already verified during canonicalization,
-                            if (item.selfCert != null) {
+                            // AND we know there is at most one cert plus at most one revocation
-                                // ..is this perchance a more recent one?
+                            if (!cert.isRevocation()) {
-                                if (item.selfCert.getCreationTime().before(cert.getCreationTime())) {
+                                item.selfCert = cert;
-                                    log(LogLevel.DEBUG, LogType.MSG_IP_UID_SELF_NEWER);
+                                item.isPrimary = cert.isPrimaryUserId();
-                                } else {
-                                    log(LogLevel.DEBUG, LogType.MSG_IP_UID_SELF_IGNORING_OLD);
-                                    continue;
-                                }
-                            } else {
                                 log(LogLevel.DEBUG, LogType.MSG_IP_UID_SELF_GOOD);
-                            }
+                            } else {
-
-                            // save certificate as primary self-cert
-                            item.selfCert = cert;
-                            item.isPrimary = cert.isPrimaryUserId();
-                            if (cert.isRevocation()) {
                                 item.isRevoked = true;
                                 log(LogLevel.DEBUG, LogType.MSG_IP_UID_REVOKED);
-                            } else {
-                                item.isRevoked = false;
                             }
 
                         }
@@ -489,10 +465,8 @@ public class ProviderHelper {
             for (int userIdRank = 0; userIdRank < uids.size(); userIdRank++) {
                 UserIdItem item = uids.get(userIdRank);
                 operations.add(buildUserIdOperations(masterKeyId, item, userIdRank));
-                // no self cert is bad, but allowed by the rfc...
                 if (item.selfCert != null) {
-                    operations.add(buildCertOperations(
+                    operations.add(buildCertOperations(masterKeyId, userIdRank, item.selfCert,
-                            masterKeyId, userIdRank, item.selfCert,
                             secretRing != null ? Certs.VERIFIED_SECRET : Certs.VERIFIED_SELF));
                 }
                 // don't bother with trusted certs if the uid is revoked, anyways

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/OperationResultParcel.java

@@ -131,7 +131,6 @@ public class OperationResultParcel implements Parcelable {
         MSG_IP_SUBKEY_FLAGS_XEX (R.string.msg_ip_subkey_flags_xex),
         MSG_IP_SUBKEY_FLAGS_XXS (R.string.msg_ip_subkey_flags_xxs),
         MSG_IP_SUBKEY_FLAGS_XXX (R.string.msg_ip_subkey_flags_xxx),
-        MSG_IP_SUBKEY_FUTURE (R.string.msg_ip_subkey_future),
         MSG_IP_SUCCESS (R.string.msg_ip_success),
         MSG_IP_UID_CERT_BAD (R.string.msg_ip_uid_cert_bad),
         MSG_IP_UID_CERT_ERROR (R.string.msg_ip_uid_cert_error),
@@ -141,10 +140,7 @@ public class OperationResultParcel implements Parcelable {
         MSG_IP_UID_REORDER(R.string.msg_ip_uid_reorder),
         MSG_IP_UID_PROCESSING (R.string.msg_ip_uid_processing),
         MSG_IP_UID_REVOKED (R.string.msg_ip_uid_revoked),
-        MSG_IP_UID_SELF_BAD (R.string.msg_ip_uid_self_bad),
         MSG_IP_UID_SELF_GOOD (R.string.msg_ip_uid_self_good),
-        MSG_IP_UID_SELF_IGNORING_OLD (R.string.msg_ip_uid_self_ignoring_old),
-        MSG_IP_UID_SELF_NEWER (R.string.msg_ip_uid_self_newer),
 
         // import secret
         MSG_IS(R.string.msg_is),

OpenKeychain/src/main/res/values/strings.xml

@@ -531,7 +531,6 @@
     <string name="msg_ip_subkey_flags_xex">Subkey flags: encrypt</string>
     <string name="msg_ip_subkey_flags_xxs">Subkey flags: sign</string>
     <string name="msg_ip_subkey_flags_xxx">Subkey flags: none</string>
-    <string name="msg_ip_subkey_future">Subkey creation date lies in the future! (%s)</string>
     <string name="msg_ip_success">Successfully imported public keyring</string>
     <string name="msg_ip_reinsert_secret">Re-inserting secret key</string>
     <string name="msg_ip_uid_cert_bad">Encountered bad certificate!</string>
@@ -542,10 +541,7 @@
     <string name="msg_ip_uid_reorder">Re-ordering user ids</string>
     <string name="msg_ip_uid_processing">Processing user id %s</string>
     <string name="msg_ip_uid_revoked">Found uid revocation certificate</string>
-    <string name="msg_ip_uid_self_bad">Bad self certificate encountered!</string>
     <string name="msg_ip_uid_self_good">Found good self certificate</string>
-    <string name="msg_ip_uid_self_ignoring_old">Ignoring older self certificate</string>
-    <string name="msg_ip_uid_self_newer">Using more recent good self certificate</string>
     <string name="msg_is_bad_type_public">Tried to import public keyring as secret. This is a bug, please file a report!</string>
 
     <!-- Import Secret log entries -->