2021-02-19 19:51:44 +01:00
|
|
|
/*
|
|
|
|
* Copyright 2021 Paul Schaub.
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
package org.pgpainless.policy;
|
|
|
|
|
|
|
|
import java.util.Arrays;
|
|
|
|
import java.util.Collections;
|
2021-08-15 15:37:34 +02:00
|
|
|
import java.util.EnumMap;
|
2021-02-19 19:51:44 +01:00
|
|
|
import java.util.List;
|
2021-06-11 16:20:29 +02:00
|
|
|
import java.util.Map;
|
2021-02-19 19:51:44 +01:00
|
|
|
|
2021-05-06 00:04:03 +02:00
|
|
|
import org.pgpainless.algorithm.CompressionAlgorithm;
|
2021-02-19 19:51:44 +01:00
|
|
|
import org.pgpainless.algorithm.HashAlgorithm;
|
2021-06-11 16:20:29 +02:00
|
|
|
import org.pgpainless.algorithm.PublicKeyAlgorithm;
|
2021-02-19 19:51:44 +01:00
|
|
|
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
|
2021-04-26 13:38:12 +02:00
|
|
|
import org.pgpainless.util.NotationRegistry;
|
2021-02-19 19:51:44 +01:00
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Policy class used to configure acceptable algorithm suites etc.
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public final class Policy {
|
|
|
|
|
|
|
|
private static Policy INSTANCE;
|
|
|
|
|
|
|
|
private HashAlgorithmPolicy signatureHashAlgorithmPolicy =
|
|
|
|
HashAlgorithmPolicy.defaultSignatureAlgorithmPolicy();
|
|
|
|
private HashAlgorithmPolicy revocationSignatureHashAlgorithmPolicy =
|
|
|
|
HashAlgorithmPolicy.defaultRevocationSignatureHashAlgorithmPolicy();
|
2021-05-15 20:43:56 +02:00
|
|
|
private SymmetricKeyAlgorithmPolicy symmetricKeyEncryptionAlgorithmPolicy =
|
|
|
|
SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyEncryptionAlgorithmPolicy();
|
|
|
|
private SymmetricKeyAlgorithmPolicy symmetricKeyDecryptionAlgorithmPolicy =
|
2021-05-17 13:47:46 +02:00
|
|
|
SymmetricKeyAlgorithmPolicy.defaultSymmetricKeyDecryptionAlgorithmPolicy();
|
2021-05-06 00:04:03 +02:00
|
|
|
private CompressionAlgorithmPolicy compressionAlgorithmPolicy =
|
|
|
|
CompressionAlgorithmPolicy.defaultCompressionAlgorithmPolicy();
|
2021-06-11 16:20:29 +02:00
|
|
|
private PublicKeyAlgorithmPolicy publicKeyAlgorithmPolicy =
|
|
|
|
PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy();
|
2021-04-26 13:38:12 +02:00
|
|
|
private final NotationRegistry notationRegistry = new NotationRegistry();
|
2021-02-19 19:51:44 +01:00
|
|
|
|
2021-06-10 15:41:44 +02:00
|
|
|
Policy() {
|
2021-02-19 19:51:44 +01:00
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return the singleton instance of PGPainless' policy.
|
|
|
|
*
|
|
|
|
* @return singleton instance
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public static Policy getInstance() {
|
|
|
|
if (INSTANCE == null) {
|
|
|
|
INSTANCE = new Policy();
|
|
|
|
}
|
|
|
|
return INSTANCE;
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return the hash algorithm policy for signatures.
|
|
|
|
* @return hash algorithm policy
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public HashAlgorithmPolicy getSignatureHashAlgorithmPolicy() {
|
|
|
|
return signatureHashAlgorithmPolicy;
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Set a custom hash algorithm policy for signatures.
|
|
|
|
*
|
|
|
|
* @param policy custom policy
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public void setSignatureHashAlgorithmPolicy(HashAlgorithmPolicy policy) {
|
|
|
|
if (policy == null) {
|
|
|
|
throw new NullPointerException("Policy cannot be null.");
|
|
|
|
}
|
|
|
|
this.signatureHashAlgorithmPolicy = policy;
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return the hash algorithm policy for revocations.
|
|
|
|
* This policy is separate from {@link #getSignatureHashAlgorithmPolicy()}, as PGPainless by default uses a
|
|
|
|
* less strict policy when it comes to acceptable algorithms.
|
|
|
|
*
|
|
|
|
* @return revocation signature hash algorithm policy
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public HashAlgorithmPolicy getRevocationSignatureHashAlgorithmPolicy() {
|
|
|
|
return revocationSignatureHashAlgorithmPolicy;
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Set a custom hash algorithm policy for revocations.
|
|
|
|
*
|
|
|
|
* @param policy custom policy
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public void setRevocationSignatureHashAlgorithmPolicy(HashAlgorithmPolicy policy) {
|
|
|
|
if (policy == null) {
|
|
|
|
throw new NullPointerException("Policy cannot be null.");
|
|
|
|
}
|
|
|
|
this.revocationSignatureHashAlgorithmPolicy = policy;
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
2021-05-15 20:43:56 +02:00
|
|
|
* Return the symmetric encryption algorithm policy for encryption.
|
|
|
|
* This policy defines which symmetric algorithms are acceptable when producing encrypted messages.
|
2021-05-15 20:27:43 +02:00
|
|
|
*
|
2021-05-15 20:43:56 +02:00
|
|
|
* @return symmetric algorithm policy for encryption
|
2021-05-15 20:27:43 +02:00
|
|
|
*/
|
2021-05-15 20:43:56 +02:00
|
|
|
public SymmetricKeyAlgorithmPolicy getSymmetricKeyEncryptionAlgorithmPolicy() {
|
|
|
|
return symmetricKeyEncryptionAlgorithmPolicy;
|
2021-02-19 19:51:44 +01:00
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
2021-05-15 20:43:56 +02:00
|
|
|
* Return the symmetric encryption algorithm policy for decryption.
|
|
|
|
* This policy defines which symmetric algorithms are acceptable when decrypting encrypted messages.
|
|
|
|
*
|
|
|
|
* @return symmetric algorithm policy for decryption
|
|
|
|
*/
|
|
|
|
public SymmetricKeyAlgorithmPolicy getSymmetricKeyDecryptionAlgoritmPolicy() {
|
|
|
|
return symmetricKeyDecryptionAlgorithmPolicy;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Set a custom symmetric encryption algorithm policy for encrypting messages.
|
|
|
|
*
|
|
|
|
* @param policy custom policy
|
|
|
|
*/
|
|
|
|
public void setSymmetricKeyEncryptionAlgorithmPolicy(SymmetricKeyAlgorithmPolicy policy) {
|
|
|
|
if (policy == null) {
|
|
|
|
throw new NullPointerException("Policy cannot be null.");
|
|
|
|
}
|
|
|
|
this.symmetricKeyEncryptionAlgorithmPolicy = policy;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Set a custom symmetric encryption algorithm policy for decrypting messages.
|
2021-05-15 20:27:43 +02:00
|
|
|
*
|
|
|
|
* @param policy custom policy
|
|
|
|
*/
|
2021-05-15 20:43:56 +02:00
|
|
|
public void setSymmetricKeyDecryptionAlgorithmPolicy(SymmetricKeyAlgorithmPolicy policy) {
|
2021-02-19 19:51:44 +01:00
|
|
|
if (policy == null) {
|
|
|
|
throw new NullPointerException("Policy cannot be null.");
|
|
|
|
}
|
2021-05-15 20:43:56 +02:00
|
|
|
this.symmetricKeyDecryptionAlgorithmPolicy = policy;
|
2021-02-19 19:51:44 +01:00
|
|
|
}
|
|
|
|
|
2021-05-06 00:04:03 +02:00
|
|
|
public CompressionAlgorithmPolicy getCompressionAlgorithmPolicy() {
|
|
|
|
return compressionAlgorithmPolicy;
|
|
|
|
}
|
|
|
|
|
|
|
|
public void setCompressionAlgorithmPolicy(CompressionAlgorithmPolicy policy) {
|
|
|
|
if (policy == null) {
|
|
|
|
throw new NullPointerException("Compression policy cannot be null.");
|
|
|
|
}
|
|
|
|
this.compressionAlgorithmPolicy = policy;
|
|
|
|
}
|
|
|
|
|
2021-06-11 16:20:29 +02:00
|
|
|
/**
|
|
|
|
* Return the current public key algorithm policy.
|
|
|
|
*
|
|
|
|
* @return public key algorithm policy
|
|
|
|
*/
|
|
|
|
public PublicKeyAlgorithmPolicy getPublicKeyAlgorithmPolicy() {
|
|
|
|
return publicKeyAlgorithmPolicy;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Set a custom public key algorithm policy.
|
|
|
|
*
|
|
|
|
* @param publicKeyAlgorithmPolicy custom policy
|
|
|
|
*/
|
|
|
|
public void setPublicKeyAlgorithmPolicy(PublicKeyAlgorithmPolicy publicKeyAlgorithmPolicy) {
|
|
|
|
if (publicKeyAlgorithmPolicy == null) {
|
|
|
|
throw new NullPointerException("Public key algorithm policy cannot be null.");
|
|
|
|
}
|
|
|
|
this.publicKeyAlgorithmPolicy = publicKeyAlgorithmPolicy;
|
|
|
|
}
|
|
|
|
|
2021-02-19 19:51:44 +01:00
|
|
|
public static final class SymmetricKeyAlgorithmPolicy {
|
|
|
|
|
|
|
|
private final SymmetricKeyAlgorithm defaultSymmetricKeyAlgorithm;
|
|
|
|
private final List<SymmetricKeyAlgorithm> acceptableSymmetricKeyAlgorithms;
|
|
|
|
|
|
|
|
public SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm defaultSymmetricKeyAlgorithm, List<SymmetricKeyAlgorithm> acceptableSymmetricKeyAlgorithms) {
|
|
|
|
this.defaultSymmetricKeyAlgorithm = defaultSymmetricKeyAlgorithm;
|
|
|
|
this.acceptableSymmetricKeyAlgorithms = Collections.unmodifiableList(acceptableSymmetricKeyAlgorithms);
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return the default symmetric key algorithm.
|
|
|
|
* This algorithm is used as a fallback when no consensus about symmetric algorithms can be reached.
|
|
|
|
*
|
|
|
|
* @return default symmetric encryption algorithm
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public SymmetricKeyAlgorithm getDefaultSymmetricKeyAlgorithm() {
|
|
|
|
return defaultSymmetricKeyAlgorithm;
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return true if the given symmetric encryption algorithm is acceptable by this policy.
|
|
|
|
*
|
|
|
|
* @param algorithm algorithm
|
|
|
|
* @return true if algorithm is acceptable, false otherwise
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public boolean isAcceptable(SymmetricKeyAlgorithm algorithm) {
|
|
|
|
return acceptableSymmetricKeyAlgorithms.contains(algorithm);
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return true if the given symmetric encryption algorithm is acceptable by this policy.
|
|
|
|
*
|
|
|
|
* @param algorithmId algorithm
|
|
|
|
* @return true if algorithm is acceptable, false otherwise
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public boolean isAcceptable(int algorithmId) {
|
|
|
|
SymmetricKeyAlgorithm algorithm = SymmetricKeyAlgorithm.fromId(algorithmId);
|
|
|
|
return isAcceptable(algorithm);
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* The default symmetric encryption algorithm policy of PGPainless.
|
|
|
|
*
|
|
|
|
* @return default symmetric encryption algorithm policy
|
|
|
|
*/
|
2021-05-15 20:43:56 +02:00
|
|
|
public static SymmetricKeyAlgorithmPolicy defaultSymmetricKeyEncryptionAlgorithmPolicy() {
|
|
|
|
return new SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, Arrays.asList(
|
2021-05-17 13:47:46 +02:00
|
|
|
// Reject: Unencrypted, IDEA, TripleDES, CAST5
|
2021-05-15 20:43:56 +02:00
|
|
|
SymmetricKeyAlgorithm.AES_256,
|
2021-07-01 21:33:38 +02:00
|
|
|
SymmetricKeyAlgorithm.AES_192,
|
|
|
|
SymmetricKeyAlgorithm.AES_128,
|
|
|
|
SymmetricKeyAlgorithm.BLOWFISH,
|
2021-05-15 20:43:56 +02:00
|
|
|
SymmetricKeyAlgorithm.TWOFISH,
|
2021-07-01 21:33:38 +02:00
|
|
|
SymmetricKeyAlgorithm.CAMELLIA_256,
|
2021-05-15 20:43:56 +02:00
|
|
|
SymmetricKeyAlgorithm.CAMELLIA_192,
|
2021-07-01 21:33:38 +02:00
|
|
|
SymmetricKeyAlgorithm.CAMELLIA_128
|
2021-05-15 20:43:56 +02:00
|
|
|
));
|
|
|
|
}
|
|
|
|
|
2021-05-17 13:47:46 +02:00
|
|
|
/**
|
|
|
|
* The default symmetric decryption algorithm policy of PGPainless.
|
|
|
|
*
|
|
|
|
* @return default symmetric decryption algorithm policy
|
|
|
|
*/
|
2021-05-15 20:43:56 +02:00
|
|
|
public static SymmetricKeyAlgorithmPolicy defaultSymmetricKeyDecryptionAlgorithmPolicy() {
|
2021-02-19 19:51:44 +01:00
|
|
|
return new SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256, Arrays.asList(
|
2021-05-17 13:47:46 +02:00
|
|
|
// Reject: Unencrypted, IDEA, TripleDES
|
2021-02-19 19:51:44 +01:00
|
|
|
SymmetricKeyAlgorithm.CAST5,
|
|
|
|
SymmetricKeyAlgorithm.AES_256,
|
2021-07-01 21:33:38 +02:00
|
|
|
SymmetricKeyAlgorithm.AES_192,
|
|
|
|
SymmetricKeyAlgorithm.AES_128,
|
|
|
|
SymmetricKeyAlgorithm.BLOWFISH,
|
2021-02-19 19:51:44 +01:00
|
|
|
SymmetricKeyAlgorithm.TWOFISH,
|
2021-07-01 21:33:38 +02:00
|
|
|
SymmetricKeyAlgorithm.CAMELLIA_256,
|
2021-02-19 19:51:44 +01:00
|
|
|
SymmetricKeyAlgorithm.CAMELLIA_192,
|
2021-07-01 21:33:38 +02:00
|
|
|
SymmetricKeyAlgorithm.CAMELLIA_128
|
2021-02-19 19:51:44 +01:00
|
|
|
));
|
|
|
|
}
|
2021-07-01 21:33:38 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Select the best acceptable algorithm from the options list.
|
|
|
|
* The best algorithm is the first algorithm we encounter in our list of acceptable algorithms that
|
|
|
|
* is also contained in the list of options.
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* @param options list of algorithm options
|
|
|
|
* @return best
|
|
|
|
*/
|
|
|
|
public SymmetricKeyAlgorithm selectBest(List<SymmetricKeyAlgorithm> options) {
|
|
|
|
for (SymmetricKeyAlgorithm acceptable : acceptableSymmetricKeyAlgorithms) {
|
|
|
|
if (options.contains(acceptable)) {
|
|
|
|
return acceptable;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
}
|
2021-02-19 19:51:44 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
public static final class HashAlgorithmPolicy {
|
|
|
|
|
|
|
|
private final HashAlgorithm defaultHashAlgorithm;
|
|
|
|
private final List<HashAlgorithm> acceptableHashAlgorithms;
|
|
|
|
|
|
|
|
public HashAlgorithmPolicy(HashAlgorithm defaultHashAlgorithm, List<HashAlgorithm> acceptableHashAlgorithms) {
|
|
|
|
this.defaultHashAlgorithm = defaultHashAlgorithm;
|
|
|
|
this.acceptableHashAlgorithms = Collections.unmodifiableList(acceptableHashAlgorithms);
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return the default hash algorithm.
|
|
|
|
* This algorithm is used as a fallback when no consensus about hash algorithms can be reached.
|
|
|
|
*
|
|
|
|
* @return default hash algorithm
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public HashAlgorithm defaultHashAlgorithm() {
|
|
|
|
return defaultHashAlgorithm;
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return true if the the given hash algorithm is acceptable by this policy.
|
|
|
|
*
|
|
|
|
* @param hashAlgorithm hash algorithm
|
|
|
|
* @return true if the hash algorithm is acceptable, false otherwise
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public boolean isAcceptable(HashAlgorithm hashAlgorithm) {
|
|
|
|
return acceptableHashAlgorithms.contains(hashAlgorithm);
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return true if the the given hash algorithm is acceptable by this policy.
|
|
|
|
*
|
|
|
|
* @param algorithmId hash algorithm
|
|
|
|
* @return true if the hash algorithm is acceptable, false otherwise
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public boolean isAcceptable(int algorithmId) {
|
|
|
|
HashAlgorithm algorithm = HashAlgorithm.fromId(algorithmId);
|
|
|
|
return isAcceptable(algorithm);
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* The default signature hash algorithm policy of PGPainless.
|
|
|
|
* Note that this policy is only used for non-revocation signatures.
|
|
|
|
* For revocation signatures {@link #defaultRevocationSignatureHashAlgorithmPolicy()} is used instead.
|
|
|
|
*
|
|
|
|
* @return default signature hash algorithm policy
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public static HashAlgorithmPolicy defaultSignatureAlgorithmPolicy() {
|
|
|
|
return new HashAlgorithmPolicy(HashAlgorithm.SHA512, Arrays.asList(
|
|
|
|
HashAlgorithm.SHA224,
|
|
|
|
HashAlgorithm.SHA256,
|
|
|
|
HashAlgorithm.SHA384,
|
|
|
|
HashAlgorithm.SHA512
|
|
|
|
));
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* The default revocation signature hash algorithm policy of PGPainless.
|
|
|
|
*
|
|
|
|
* @return default revocation signature hash algorithm policy
|
|
|
|
*/
|
2021-02-19 19:51:44 +01:00
|
|
|
public static HashAlgorithmPolicy defaultRevocationSignatureHashAlgorithmPolicy() {
|
|
|
|
return new HashAlgorithmPolicy(HashAlgorithm.SHA512, Arrays.asList(
|
|
|
|
HashAlgorithm.RIPEMD160,
|
|
|
|
HashAlgorithm.SHA1,
|
|
|
|
HashAlgorithm.SHA224,
|
|
|
|
HashAlgorithm.SHA256,
|
|
|
|
HashAlgorithm.SHA384,
|
|
|
|
HashAlgorithm.SHA512
|
|
|
|
));
|
|
|
|
}
|
|
|
|
}
|
2021-04-26 13:38:12 +02:00
|
|
|
|
2021-05-06 00:04:03 +02:00
|
|
|
public static final class CompressionAlgorithmPolicy {
|
|
|
|
|
|
|
|
private final CompressionAlgorithm defaultCompressionAlgorithm;
|
|
|
|
private final List<CompressionAlgorithm> acceptableCompressionAlgorithms;
|
|
|
|
|
|
|
|
public CompressionAlgorithmPolicy(CompressionAlgorithm defaultCompressionAlgorithm,
|
|
|
|
List<CompressionAlgorithm> acceptableCompressionAlgorithms) {
|
|
|
|
this.defaultCompressionAlgorithm = defaultCompressionAlgorithm;
|
|
|
|
this.acceptableCompressionAlgorithms = Collections.unmodifiableList(acceptableCompressionAlgorithms);
|
|
|
|
}
|
|
|
|
|
|
|
|
public CompressionAlgorithm defaultCompressionAlgorithm() {
|
|
|
|
return defaultCompressionAlgorithm;
|
|
|
|
}
|
|
|
|
|
|
|
|
public boolean isAcceptable(int compressionAlgorithmTag) {
|
|
|
|
return isAcceptable(CompressionAlgorithm.fromId(compressionAlgorithmTag));
|
|
|
|
}
|
|
|
|
|
|
|
|
public boolean isAcceptable(CompressionAlgorithm compressionAlgorithm) {
|
|
|
|
return acceptableCompressionAlgorithms.contains(compressionAlgorithm);
|
|
|
|
}
|
|
|
|
|
|
|
|
public static CompressionAlgorithmPolicy defaultCompressionAlgorithmPolicy() {
|
2021-09-06 15:13:41 +02:00
|
|
|
return new CompressionAlgorithmPolicy(CompressionAlgorithm.ZIP, Arrays.asList(
|
2021-05-06 00:04:03 +02:00
|
|
|
CompressionAlgorithm.UNCOMPRESSED,
|
|
|
|
CompressionAlgorithm.ZIP,
|
|
|
|
CompressionAlgorithm.BZIP2,
|
|
|
|
CompressionAlgorithm.ZLIB
|
|
|
|
));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-06-11 16:20:29 +02:00
|
|
|
public static final class PublicKeyAlgorithmPolicy {
|
|
|
|
|
2021-08-15 15:37:34 +02:00
|
|
|
private final Map<PublicKeyAlgorithm, Integer> algorithmStrengths = new EnumMap<>(PublicKeyAlgorithm.class);
|
2021-06-11 16:20:29 +02:00
|
|
|
|
|
|
|
public PublicKeyAlgorithmPolicy(Map<PublicKeyAlgorithm, Integer> minimalAlgorithmBitStrengths) {
|
|
|
|
this.algorithmStrengths.putAll(minimalAlgorithmBitStrengths);
|
|
|
|
}
|
|
|
|
|
|
|
|
public boolean isAcceptable(int algorithmId, int bitStrength) {
|
|
|
|
return isAcceptable(PublicKeyAlgorithm.fromId(algorithmId), bitStrength);
|
|
|
|
}
|
|
|
|
|
|
|
|
public boolean isAcceptable(PublicKeyAlgorithm algorithm, int bitStrength) {
|
|
|
|
if (!algorithmStrengths.containsKey(algorithm)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
int minStrength = algorithmStrengths.get(algorithm);
|
|
|
|
return bitStrength >= minStrength;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Return PGPainless' default public key algorithm policy.
|
|
|
|
* This policy is based upon recommendations made by the German Federal Office for Information Security (BSI).
|
|
|
|
*
|
|
|
|
* Basically this policy requires keys based on elliptic curves to have a bit strength of at least 250,
|
|
|
|
* and keys based on prime number factorization / discrete logarithm problems to have a strength of at least 2000 bits.
|
|
|
|
*
|
|
|
|
* @see <a href="https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf">
|
|
|
|
* BSI - Technical Guideline - Cryptographic Mechanisms: Recommendations and Key Lengths (2021-01)</a>
|
2021-06-24 17:53:38 +02:00
|
|
|
* @see <a href="https://www.keylength.com/">BlueKrypt | Cryptographic Key Length Recommendation</a>
|
2021-06-11 16:20:29 +02:00
|
|
|
*
|
|
|
|
* @return default algorithm policy
|
|
|
|
*/
|
|
|
|
public static PublicKeyAlgorithmPolicy defaultPublicKeyAlgorithmPolicy() {
|
2021-08-15 15:37:34 +02:00
|
|
|
Map<PublicKeyAlgorithm, Integer> minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class);
|
2021-06-11 16:20:29 +02:00
|
|
|
// §5.4.1
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 2000);
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.RSA_SIGN, 2000);
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.RSA_ENCRYPT, 2000);
|
2021-08-15 15:38:31 +02:00
|
|
|
// Note: ElGamal is not mentioned in the BSI document.
|
2021-06-11 16:20:29 +02:00
|
|
|
// We assume that the requirements are similar to other DH algorithms
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.ELGAMAL_ENCRYPT, 2000);
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.ELGAMAL_GENERAL, 2000);
|
|
|
|
// §5.4.2
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.DSA, 2000);
|
|
|
|
// §5.4.3
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.ECDSA, 250);
|
2021-08-15 15:38:31 +02:00
|
|
|
// Note: EdDSA is not mentioned in the BSI document.
|
2021-06-11 16:20:29 +02:00
|
|
|
// We assume that the requirements are similar to other EC algorithms.
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.EDDSA, 250);
|
|
|
|
// §7.2.1
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000);
|
|
|
|
// §7.2.2
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.ECDH, 250);
|
|
|
|
minimalBitStrengths.put(PublicKeyAlgorithm.EC, 250);
|
|
|
|
|
|
|
|
return new PublicKeyAlgorithmPolicy(minimalBitStrengths);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-05-15 20:27:43 +02:00
|
|
|
/**
|
|
|
|
* Return the {@link NotationRegistry} of PGPainless.
|
2021-08-15 15:38:31 +02:00
|
|
|
* The notation registry is used to decide, whether a Notation is known or not.
|
2021-05-15 20:27:43 +02:00
|
|
|
* Background: Critical unknown notations render signatures invalid.
|
|
|
|
*
|
|
|
|
* @return Notation registry
|
|
|
|
*/
|
2021-04-26 13:38:12 +02:00
|
|
|
public NotationRegistry getNotationRegistry() {
|
|
|
|
return notationRegistry;
|
|
|
|
}
|
2021-02-19 19:51:44 +01:00
|
|
|
}
|