mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-23 11:27:57 +01:00
Remove workaround for publicKey.getBitStrength() == -1 in BC
see https://github.com/bcgit/bc-java/issues/972
This commit is contained in:
parent
e374951ed0
commit
01839728f0
4 changed files with 10 additions and 53 deletions
|
@ -64,7 +64,6 @@ import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
||||||
import org.pgpainless.util.BCUtil;
|
|
||||||
import org.pgpainless.util.CollectionUtils;
|
import org.pgpainless.util.CollectionUtils;
|
||||||
import org.pgpainless.util.Passphrase;
|
import org.pgpainless.util.Passphrase;
|
||||||
import org.pgpainless.util.selection.userid.SelectUserId;
|
import org.pgpainless.util.selection.userid.SelectUserId;
|
||||||
|
@ -278,7 +277,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
|
||||||
|
|
||||||
// check key against public key algorithm policy
|
// check key against public key algorithm policy
|
||||||
PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm());
|
PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm());
|
||||||
int bitStrength = BCUtil.getBitStrength(subkey.getPublicKey());
|
int bitStrength = subkey.getPublicKey().getBitStrength();
|
||||||
if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
|
if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
|
||||||
throw new IllegalArgumentException("Public key algorithm policy violation: " +
|
throw new IllegalArgumentException("Public key algorithm policy violation: " +
|
||||||
publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable.");
|
publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable.");
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
|
|
||||||
package org.pgpainless.signature.consumer;
|
package org.pgpainless.signature.consumer;
|
||||||
|
|
||||||
import java.security.NoSuchAlgorithmException;
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
|
@ -32,7 +31,6 @@ import org.pgpainless.key.OpenPgpFingerprint;
|
||||||
import org.pgpainless.policy.Policy;
|
import org.pgpainless.policy.Policy;
|
||||||
import org.pgpainless.signature.SignatureUtils;
|
import org.pgpainless.signature.SignatureUtils;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
||||||
import org.pgpainless.util.BCUtil;
|
|
||||||
import org.pgpainless.util.DateUtil;
|
import org.pgpainless.util.DateUtil;
|
||||||
import org.pgpainless.util.NotationRegistry;
|
import org.pgpainless.util.NotationRegistry;
|
||||||
|
|
||||||
|
@ -171,15 +169,14 @@ public abstract class SignatureValidator {
|
||||||
@Override
|
@Override
|
||||||
public void verify(PGPSignature signature) throws SignatureValidationException {
|
public void verify(PGPSignature signature) throws SignatureValidationException {
|
||||||
PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.fromId(signingKey.getAlgorithm());
|
PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.fromId(signingKey.getAlgorithm());
|
||||||
try {
|
int bitStrength = signingKey.getBitStrength();
|
||||||
int bitStrength = BCUtil.getBitStrength(signingKey);
|
if (bitStrength == -1) {
|
||||||
|
throw new SignatureValidationException("Cannot determine bit strength of signing key.");
|
||||||
|
}
|
||||||
if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
|
if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
|
||||||
throw new SignatureValidationException("Signature was made using unacceptable key. " +
|
throw new SignatureValidationException("Signature was made using unacceptable key. " +
|
||||||
algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy.");
|
algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy.");
|
||||||
}
|
}
|
||||||
} catch (NoSuchAlgorithmException e) {
|
|
||||||
throw new SignatureValidationException("Cannot determine bit strength of signing key.", e);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,50 +4,12 @@
|
||||||
|
|
||||||
package org.pgpainless.util;
|
package org.pgpainless.util;
|
||||||
|
|
||||||
import java.security.NoSuchAlgorithmException;
|
|
||||||
|
|
||||||
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
|
|
||||||
import org.bouncycastle.bcpg.ECPublicBCPGKey;
|
|
||||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
|
||||||
|
|
||||||
public final class BCUtil {
|
public final class BCUtil {
|
||||||
|
|
||||||
private BCUtil() {
|
private BCUtil() {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Utility method to get the bit strength of OpenPGP keys.
|
|
||||||
* Bouncycastle is lacking support for some keys (eg. EdDSA, X25519), so this method
|
|
||||||
* manually derives the bit strength from the keys curves OID.
|
|
||||||
*
|
|
||||||
* @param key key
|
|
||||||
* @return bit strength
|
|
||||||
*/
|
|
||||||
public static int getBitStrength(PGPPublicKey key) throws NoSuchAlgorithmException {
|
|
||||||
int bitStrength = key.getBitStrength();
|
|
||||||
|
|
||||||
if (bitStrength == -1) {
|
|
||||||
// BC's PGPPublicKey.getBitStrength() does fail for some keys (EdDSA, X25519)
|
|
||||||
// therefore we manually set the bit strength.
|
|
||||||
// see https://github.com/bcgit/bc-java/issues/972
|
|
||||||
|
|
||||||
ASN1ObjectIdentifier oid = ((ECPublicBCPGKey) key.getPublicKeyPacket().getKey()).getCurveOID();
|
|
||||||
if (oid.getId().equals("1.3.6.1.4.1.11591.15.1")) {
|
|
||||||
// ed25519 is 256 bits
|
|
||||||
bitStrength = 256;
|
|
||||||
} else if (oid.getId().equals("1.3.6.1.4.1.3029.1.5.1")) {
|
|
||||||
// curvey25519 is 256 bits
|
|
||||||
bitStrength = 256;
|
|
||||||
} else {
|
|
||||||
throw new NoSuchAlgorithmException("Unknown curve: " + oid.getId());
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
return bitStrength;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A constant time equals comparison - does not terminate early if
|
* A constant time equals comparison - does not terminate early if
|
||||||
* test will fail. For best results always pass the expected value
|
* test will fail. For best results always pass the expected value
|
||||||
|
|
|
@ -29,9 +29,8 @@ import org.pgpainless.key.generation.type.rsa.RsaLength;
|
||||||
import org.pgpainless.key.generation.type.xdh.XDHSpec;
|
import org.pgpainless.key.generation.type.xdh.XDHSpec;
|
||||||
import org.pgpainless.key.info.KeyInfo;
|
import org.pgpainless.key.info.KeyInfo;
|
||||||
import org.pgpainless.key.util.UserId;
|
import org.pgpainless.key.util.UserId;
|
||||||
import org.pgpainless.util.BCUtil;
|
|
||||||
import org.pgpainless.util.TestAllImplementations;
|
|
||||||
import org.pgpainless.util.Passphrase;
|
import org.pgpainless.util.Passphrase;
|
||||||
|
import org.pgpainless.util.TestAllImplementations;
|
||||||
|
|
||||||
public class BrainpoolKeyGenerationTest {
|
public class BrainpoolKeyGenerationTest {
|
||||||
|
|
||||||
|
@ -96,22 +95,22 @@ public class BrainpoolKeyGenerationTest {
|
||||||
PGPSecretKey ecdsaPrim = iterator.next();
|
PGPSecretKey ecdsaPrim = iterator.next();
|
||||||
KeyInfo ecdsaInfo = new KeyInfo(ecdsaPrim);
|
KeyInfo ecdsaInfo = new KeyInfo(ecdsaPrim);
|
||||||
assertEquals(EllipticCurve._BRAINPOOLP384R1.getName(), ecdsaInfo.getCurveName());
|
assertEquals(EllipticCurve._BRAINPOOLP384R1.getName(), ecdsaInfo.getCurveName());
|
||||||
assertEquals(384, BCUtil.getBitStrength(ecdsaPrim.getPublicKey()));
|
assertEquals(384, ecdsaPrim.getPublicKey().getBitStrength());
|
||||||
|
|
||||||
PGPSecretKey eddsaSub = iterator.next();
|
PGPSecretKey eddsaSub = iterator.next();
|
||||||
KeyInfo eddsaInfo = new KeyInfo(eddsaSub);
|
KeyInfo eddsaInfo = new KeyInfo(eddsaSub);
|
||||||
assertEquals(EdDSACurve._Ed25519.getName(), eddsaInfo.getCurveName());
|
assertEquals(EdDSACurve._Ed25519.getName(), eddsaInfo.getCurveName());
|
||||||
assertEquals(256, BCUtil.getBitStrength(eddsaSub.getPublicKey()));
|
assertEquals(256, eddsaSub.getPublicKey().getBitStrength());
|
||||||
|
|
||||||
PGPSecretKey xdhSub = iterator.next();
|
PGPSecretKey xdhSub = iterator.next();
|
||||||
KeyInfo xdhInfo = new KeyInfo(xdhSub);
|
KeyInfo xdhInfo = new KeyInfo(xdhSub);
|
||||||
assertEquals(XDHSpec._X25519.getCurveName(), xdhInfo.getCurveName());
|
assertEquals(XDHSpec._X25519.getCurveName(), xdhInfo.getCurveName());
|
||||||
assertEquals(256, BCUtil.getBitStrength(xdhSub.getPublicKey()));
|
assertEquals(256, xdhSub.getPublicKey().getBitStrength());
|
||||||
|
|
||||||
PGPSecretKey rsaSub = iterator.next();
|
PGPSecretKey rsaSub = iterator.next();
|
||||||
KeyInfo rsaInfo = new KeyInfo(rsaSub);
|
KeyInfo rsaInfo = new KeyInfo(rsaSub);
|
||||||
assertThrows(IllegalArgumentException.class, rsaInfo::getCurveName, "RSA is not a curve-based encryption system");
|
assertThrows(IllegalArgumentException.class, rsaInfo::getCurveName, "RSA is not a curve-based encryption system");
|
||||||
assertEquals(3072, BCUtil.getBitStrength(rsaSub.getPublicKey()));
|
assertEquals(3072, rsaSub.getPublicKey().getBitStrength());
|
||||||
}
|
}
|
||||||
|
|
||||||
public PGPSecretKeyRing generateKey(KeySpec primaryKey, KeySpec subKey, String userId) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
|
public PGPSecretKeyRing generateKey(KeySpec primaryKey, KeySpec subKey, String userId) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
|
||||||
|
|
Loading…
Reference in a new issue