2018-06-13 17:26:48 +02:00
|
|
|
/*
|
|
|
|
* Copyright 2018 Paul Schaub.
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
2018-07-18 18:23:06 +02:00
|
|
|
package org.pgpainless.decryption_verification;
|
2018-06-06 18:46:41 +02:00
|
|
|
|
|
|
|
import java.io.FilterInputStream;
|
|
|
|
import java.io.IOException;
|
|
|
|
import java.io.InputStream;
|
|
|
|
import java.security.SignatureException;
|
|
|
|
import java.util.Map;
|
2018-06-10 17:12:44 +02:00
|
|
|
import java.util.logging.Level;
|
|
|
|
import java.util.logging.Logger;
|
2018-06-06 18:46:41 +02:00
|
|
|
|
|
|
|
import org.bouncycastle.openpgp.PGPException;
|
|
|
|
import org.bouncycastle.openpgp.PGPObjectFactory;
|
|
|
|
import org.bouncycastle.openpgp.PGPOnePassSignature;
|
|
|
|
import org.bouncycastle.openpgp.PGPSignature;
|
|
|
|
import org.bouncycastle.openpgp.PGPSignatureList;
|
2018-07-18 18:23:06 +02:00
|
|
|
import org.pgpainless.key.OpenPgpV4Fingerprint;
|
2018-06-06 18:46:41 +02:00
|
|
|
|
|
|
|
public class SignatureVerifyingInputStream extends FilterInputStream {
|
|
|
|
|
2018-06-10 17:12:44 +02:00
|
|
|
private static final Logger LOGGER = Logger.getLogger(SignatureVerifyingInputStream.class.getName());
|
2018-06-19 17:14:37 +02:00
|
|
|
private static final Level LEVEL = Level.INFO;
|
2018-06-10 17:12:44 +02:00
|
|
|
|
2018-06-06 18:46:41 +02:00
|
|
|
private final PGPObjectFactory objectFactory;
|
2018-07-08 19:31:53 +02:00
|
|
|
private final Map<OpenPgpV4Fingerprint, PGPOnePassSignature> onePassSignatures;
|
2018-07-23 16:23:23 +02:00
|
|
|
private final OpenPgpMetadata.Builder resultBuilder;
|
2018-06-06 18:46:41 +02:00
|
|
|
|
2018-06-19 17:14:37 +02:00
|
|
|
private boolean validated = false;
|
|
|
|
|
2018-06-06 18:46:41 +02:00
|
|
|
protected SignatureVerifyingInputStream(InputStream inputStream,
|
|
|
|
PGPObjectFactory objectFactory,
|
2018-07-08 19:31:53 +02:00
|
|
|
Map<OpenPgpV4Fingerprint, PGPOnePassSignature> onePassSignatures,
|
2018-07-23 16:23:23 +02:00
|
|
|
OpenPgpMetadata.Builder resultBuilder) {
|
2018-06-06 18:46:41 +02:00
|
|
|
super(inputStream);
|
|
|
|
this.objectFactory = objectFactory;
|
|
|
|
this.resultBuilder = resultBuilder;
|
|
|
|
this.onePassSignatures = onePassSignatures;
|
2018-06-19 17:14:37 +02:00
|
|
|
|
|
|
|
LOGGER.log(LEVEL, "Begin verifying OnePassSignatures");
|
2018-06-06 18:46:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
private void updateOnePassSignatures(byte data) {
|
|
|
|
for (PGPOnePassSignature signature : onePassSignatures.values()) {
|
|
|
|
signature.update(data);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private void updateOnePassSignatures(byte[] b, int off, int len) {
|
|
|
|
for (PGPOnePassSignature signature : onePassSignatures.values()) {
|
|
|
|
signature.update(b, off, len);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private void validateOnePassSignatures() throws IOException {
|
2018-06-19 17:14:37 +02:00
|
|
|
|
|
|
|
if (validated) {
|
|
|
|
LOGGER.log(LEVEL, "Validated signatures already. Skip");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
validated = true;
|
|
|
|
|
2018-06-06 18:46:41 +02:00
|
|
|
if (onePassSignatures.isEmpty()) {
|
2018-06-19 17:14:37 +02:00
|
|
|
LOGGER.log(LEVEL, "No One-Pass-Signatures found -> No validation");
|
2018-06-06 18:46:41 +02:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
try {
|
|
|
|
PGPSignatureList signatureList = null;
|
2018-06-08 15:29:09 +02:00
|
|
|
Object obj = objectFactory.nextObject();
|
|
|
|
while (obj != null && signatureList == null) {
|
|
|
|
if (obj instanceof PGPSignatureList) {
|
|
|
|
signatureList = (PGPSignatureList) obj;
|
|
|
|
} else {
|
|
|
|
obj = objectFactory.nextObject();
|
2018-06-06 18:46:41 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (signatureList == null || signatureList.isEmpty()) {
|
2018-06-19 17:14:37 +02:00
|
|
|
throw new IOException("Verification failed - No Signatures found");
|
2018-06-06 18:46:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
for (PGPSignature signature : signatureList) {
|
2018-07-08 19:31:53 +02:00
|
|
|
OpenPgpV4Fingerprint fingerprint = null;
|
|
|
|
for (OpenPgpV4Fingerprint f : onePassSignatures.keySet()) {
|
|
|
|
if (f.getKeyId() == signature.getKeyID()) {
|
|
|
|
fingerprint = f;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
PGPOnePassSignature onePassSignature;
|
|
|
|
if (fingerprint == null || (onePassSignature = onePassSignatures.get(fingerprint)) == null) {
|
2018-06-19 17:14:37 +02:00
|
|
|
LOGGER.log(LEVEL, "Found Signature without respective OnePassSignature packet -> skip");
|
2018-06-06 18:46:41 +02:00
|
|
|
continue;
|
|
|
|
}
|
2018-07-08 19:31:53 +02:00
|
|
|
|
2018-06-06 18:46:41 +02:00
|
|
|
if (!onePassSignature.verify(signature)) {
|
|
|
|
throw new SignatureException("Bad Signature of key " + signature.getKeyID());
|
|
|
|
} else {
|
2018-06-19 17:14:37 +02:00
|
|
|
LOGGER.log(LEVEL, "Verified signature of key " + Long.toHexString(signature.getKeyID()));
|
2018-07-08 19:31:53 +02:00
|
|
|
resultBuilder.addVerifiedSignatureFingerprint(fingerprint);
|
2018-06-06 18:46:41 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
} catch (PGPException | SignatureException e) {
|
|
|
|
throw new IOException(e.getMessage(), e);
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public int read() throws IOException {
|
|
|
|
final int data = super.read();
|
|
|
|
final boolean endOfStream = data == -1;
|
|
|
|
if (endOfStream) {
|
|
|
|
validateOnePassSignatures();
|
|
|
|
} else {
|
|
|
|
updateOnePassSignatures((byte) data);
|
|
|
|
}
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public int read(byte[] b) throws IOException {
|
|
|
|
return read(b, 0, b.length);
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public int read(byte[] b, int off, int len) throws IOException {
|
|
|
|
int read = super.read(b, off, len);
|
|
|
|
|
|
|
|
final boolean endOfStream = read == -1;
|
|
|
|
if (endOfStream) {
|
|
|
|
validateOnePassSignatures();
|
|
|
|
} else {
|
|
|
|
updateOnePassSignatures(b, off, read);
|
|
|
|
}
|
|
|
|
return read;
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public long skip(long n) {
|
2018-06-19 17:14:37 +02:00
|
|
|
throw new UnsupportedOperationException("skip() is not supported");
|
2018-06-06 18:46:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public synchronized void mark(int readlimit) {
|
2018-06-19 17:14:37 +02:00
|
|
|
throw new UnsupportedOperationException("mark() not supported");
|
2018-06-06 18:46:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public synchronized void reset() {
|
2018-06-19 17:14:37 +02:00
|
|
|
throw new UnsupportedOperationException("reset() is not supported");
|
2018-06-06 18:46:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public boolean markSupported() {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|