2020-11-13 15:08:37 +01:00
|
|
|
/*
|
|
|
|
* Copyright 2020 Paul Schaub.
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
2021-04-26 13:38:12 +02:00
|
|
|
package org.pgpainless.signature;
|
2020-11-13 15:08:37 +01:00
|
|
|
|
2021-01-22 16:52:09 +01:00
|
|
|
import java.util.Date;
|
2020-11-13 15:08:37 +01:00
|
|
|
import java.util.List;
|
|
|
|
|
2021-04-26 13:38:12 +02:00
|
|
|
import org.bouncycastle.bcpg.sig.KeyExpirationTime;
|
|
|
|
import org.bouncycastle.bcpg.sig.RevocationReason;
|
|
|
|
import org.bouncycastle.bcpg.sig.SignatureExpirationTime;
|
2020-11-13 15:08:37 +01:00
|
|
|
import org.bouncycastle.openpgp.PGPPublicKey;
|
|
|
|
import org.bouncycastle.openpgp.PGPSecretKey;
|
2021-01-22 16:52:09 +01:00
|
|
|
import org.bouncycastle.openpgp.PGPSignature;
|
2020-11-13 15:08:37 +01:00
|
|
|
import org.bouncycastle.openpgp.PGPSignatureGenerator;
|
2021-05-03 13:37:47 +02:00
|
|
|
import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
|
2021-01-29 15:15:27 +01:00
|
|
|
import org.pgpainless.PGPainless;
|
2020-11-13 15:08:37 +01:00
|
|
|
import org.pgpainless.algorithm.HashAlgorithm;
|
2021-01-22 16:52:09 +01:00
|
|
|
import org.pgpainless.algorithm.SignatureType;
|
|
|
|
import org.pgpainless.implementation.ImplementationFactory;
|
2021-04-26 13:38:12 +02:00
|
|
|
import org.pgpainless.key.util.OpenPgpKeyAttributeUtil;
|
|
|
|
import org.pgpainless.key.util.RevocationAttributes;
|
2021-05-03 13:37:47 +02:00
|
|
|
import org.pgpainless.policy.Policy;
|
2021-04-26 13:38:12 +02:00
|
|
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
2020-11-13 15:08:37 +01:00
|
|
|
|
2021-05-03 13:37:47 +02:00
|
|
|
/**
|
|
|
|
* Utility methods related to signatures.
|
|
|
|
*/
|
2020-11-13 15:08:37 +01:00
|
|
|
public class SignatureUtils {
|
|
|
|
|
2021-05-03 13:37:47 +02:00
|
|
|
/**
|
|
|
|
* Return a signature generator for the provided signing key.
|
|
|
|
* The signature generator will follow the hash algorithm preferences of the signing key and pick the best algorithm.
|
|
|
|
*
|
|
|
|
* @param singingKey signing key
|
|
|
|
* @return signature generator
|
|
|
|
*/
|
2020-11-13 15:08:37 +01:00
|
|
|
public static PGPSignatureGenerator getSignatureGeneratorFor(PGPSecretKey singingKey) {
|
|
|
|
return getSignatureGeneratorFor(singingKey.getPublicKey());
|
|
|
|
}
|
|
|
|
|
2021-05-03 13:37:47 +02:00
|
|
|
/**
|
|
|
|
* Return a signature generator for the provided signing key.
|
|
|
|
* The signature generator will follow the hash algorithm preferences of the signing key and pick the best algorithm.
|
|
|
|
*
|
|
|
|
* @param signingPubKey signing key
|
|
|
|
* @return signature generator
|
|
|
|
*/
|
2020-11-13 15:08:37 +01:00
|
|
|
public static PGPSignatureGenerator getSignatureGeneratorFor(PGPPublicKey signingPubKey) {
|
|
|
|
PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(
|
|
|
|
getPgpContentSignerBuilderForKey(signingPubKey));
|
|
|
|
return signatureGenerator;
|
|
|
|
}
|
|
|
|
|
2021-05-03 13:37:47 +02:00
|
|
|
/**
|
2021-05-28 22:37:16 +02:00
|
|
|
* Return a content signer builder for the passed public key.
|
2021-05-03 13:37:47 +02:00
|
|
|
*
|
|
|
|
* The content signer will use a hash algorithm derived from the keys algorithm preferences.
|
|
|
|
* If no preferences can be derived, the key will fall back to the default hash algorithm as set in
|
|
|
|
* the {@link org.pgpainless.policy.Policy}.
|
|
|
|
*
|
2021-05-28 22:37:16 +02:00
|
|
|
* TODO: Move negotiation to negotiator class
|
|
|
|
*
|
2021-05-03 13:37:47 +02:00
|
|
|
* @param publicKey public key
|
|
|
|
* @return content signer builder
|
|
|
|
*/
|
|
|
|
private static PGPContentSignerBuilder getPgpContentSignerBuilderForKey(PGPPublicKey publicKey) {
|
2020-11-13 15:08:37 +01:00
|
|
|
List<HashAlgorithm> preferredHashAlgorithms = OpenPgpKeyAttributeUtil.getPreferredHashAlgorithms(publicKey);
|
2021-01-21 13:47:43 +01:00
|
|
|
if (preferredHashAlgorithms.isEmpty()) {
|
|
|
|
preferredHashAlgorithms = OpenPgpKeyAttributeUtil.guessPreferredHashAlgorithms(publicKey);
|
|
|
|
}
|
2020-11-13 15:08:37 +01:00
|
|
|
HashAlgorithm hashAlgorithm = negotiateHashAlgorithm(preferredHashAlgorithms);
|
|
|
|
|
2021-05-03 13:37:47 +02:00
|
|
|
return ImplementationFactory.getInstance().getPGPContentSignerBuilder(publicKey.getAlgorithm(), hashAlgorithm.getAlgorithmId());
|
2020-11-13 15:08:37 +01:00
|
|
|
}
|
|
|
|
|
2021-05-03 13:37:47 +02:00
|
|
|
/**
|
|
|
|
* Negotiate an acceptable hash algorithm from the provided list of options.
|
|
|
|
* Acceptance of hash algorithms can be changed by setting a custom {@link Policy}.
|
|
|
|
*
|
|
|
|
* @param preferredHashAlgorithms list of preferred hash algorithms of a key
|
|
|
|
* @return first acceptable algorithm, or policies default hash algorithm
|
|
|
|
*/
|
2020-11-13 15:08:37 +01:00
|
|
|
private static HashAlgorithm negotiateHashAlgorithm(List<HashAlgorithm> preferredHashAlgorithms) {
|
2021-05-03 13:37:47 +02:00
|
|
|
Policy policy = PGPainless.getPolicy();
|
|
|
|
for (HashAlgorithm option : preferredHashAlgorithms) {
|
|
|
|
if (policy.getSignatureHashAlgorithmPolicy().isAcceptable(option)) {
|
|
|
|
return option;
|
|
|
|
}
|
2021-01-21 13:47:43 +01:00
|
|
|
}
|
2021-05-03 13:37:47 +02:00
|
|
|
|
|
|
|
return PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm();
|
2020-11-13 15:08:37 +01:00
|
|
|
}
|
2021-01-22 16:52:09 +01:00
|
|
|
|
2021-04-26 13:38:12 +02:00
|
|
|
public static Date getKeyExpirationDate(Date keyCreationDate, PGPSignature signature) {
|
|
|
|
KeyExpirationTime keyExpirationTime = SignatureSubpacketsUtil.getKeyExpirationTime(signature);
|
|
|
|
long expiresInSecs = keyExpirationTime == null ? 0 : keyExpirationTime.getTime();
|
|
|
|
return datePlusSeconds(keyCreationDate, expiresInSecs);
|
|
|
|
}
|
|
|
|
|
|
|
|
public static Date getSignatureExpirationDate(PGPSignature signature) {
|
|
|
|
Date creationDate = signature.getCreationTime();
|
|
|
|
SignatureExpirationTime signatureExpirationTime = SignatureSubpacketsUtil.getSignatureExpirationTime(signature);
|
|
|
|
long expiresInSecs = signatureExpirationTime == null ? 0 : signatureExpirationTime.getTime();
|
|
|
|
return datePlusSeconds(creationDate, expiresInSecs);
|
|
|
|
}
|
|
|
|
|
2021-04-30 10:23:12 +02:00
|
|
|
/**
|
|
|
|
* Return a new date which represents the given date plus the given amount of seconds added.
|
|
|
|
*
|
|
|
|
* Since '0' is a special value in the OpenPGP specification when it comes to dates
|
|
|
|
* (e.g. '0' means no expiration for expiration dates), this method will return 'null' if seconds is 0.
|
|
|
|
*
|
|
|
|
* @param date date
|
|
|
|
* @param seconds number of seconds to be added
|
|
|
|
* @return date plus seconds or null if seconds is '0'
|
|
|
|
*/
|
2021-04-26 13:38:12 +02:00
|
|
|
public static Date datePlusSeconds(Date date, long seconds) {
|
|
|
|
if (seconds == 0) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
return new Date(date.getTime() + 1000 * seconds);
|
|
|
|
}
|
|
|
|
|
2021-01-22 16:52:09 +01:00
|
|
|
public static boolean isSignatureExpired(PGPSignature signature) {
|
2021-04-26 13:38:12 +02:00
|
|
|
return isSignatureExpired(signature, new Date());
|
|
|
|
}
|
|
|
|
|
|
|
|
public static boolean isSignatureExpired(PGPSignature signature, Date comparisonDate) {
|
|
|
|
Date expirationDate = getSignatureExpirationDate(signature);
|
2021-04-30 10:23:12 +02:00
|
|
|
return expirationDate != null && comparisonDate.after(expirationDate);
|
2021-01-22 16:52:09 +01:00
|
|
|
}
|
|
|
|
|
2021-05-03 13:37:47 +02:00
|
|
|
/**
|
|
|
|
* Return true if the provided signature is a hard revocation.
|
|
|
|
* Hard revocations are revocation signatures which either carry a revocation reason of
|
|
|
|
* {@link RevocationAttributes.Reason#KEY_COMPROMISED} or {@link RevocationAttributes.Reason#NO_REASON},
|
|
|
|
* or no reason at all.
|
|
|
|
*
|
|
|
|
* @param signature signature
|
|
|
|
* @return true if signature is a hard revocation
|
|
|
|
*/
|
2021-04-26 13:38:12 +02:00
|
|
|
public static boolean isHardRevocation(PGPSignature signature) {
|
|
|
|
|
|
|
|
SignatureType type = SignatureType.valueOf(signature.getSignatureType());
|
|
|
|
if (type != SignatureType.KEY_REVOCATION && type != SignatureType.SUBKEY_REVOCATION && type != SignatureType.CERTIFICATION_REVOCATION) {
|
|
|
|
// Not a revocation
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
RevocationReason reasonSubpacket = SignatureSubpacketsUtil.getRevocationReason(signature);
|
|
|
|
if (reasonSubpacket == null) {
|
|
|
|
// no reason -> hard revocation
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return RevocationAttributes.Reason.isHardRevocation(reasonSubpacket.getRevocationReason());
|
|
|
|
}
|
2020-11-13 15:08:37 +01:00
|
|
|
}
|