1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-29 07:42:06 +01:00

Add SignedByMasterKey selector

This commit is contained in:
Paul Schaub 2018-07-02 20:09:35 +02:00
parent 992bff6b3f
commit 07328af968
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
3 changed files with 81 additions and 30 deletions

View file

@ -0,0 +1,37 @@
package org.pgpainless.pgpainless.key.selection.key.impl;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.pgpainless.pgpainless.key.selection.key.PublicKeySelectionStrategy;
public class SignedByMasterKey {
private static final Logger LOGGER = Logger.getLogger(SignedByMasterKey.class.getName());
public static class PubkeySelectionStrategy extends PublicKeySelectionStrategy<Long> {
@Override
public boolean accept(Long identifier, PGPPublicKey key) {
Iterator<PGPSignature> signatures = key.getSignaturesForKeyID(identifier);
while (signatures.hasNext()) {
PGPSignature signature = signatures.next();
if (signature.getSignatureType() == PGPSignature.SUBKEY_BINDING) {
try {
return signature.verify();
} catch (PGPException e) {
LOGGER.log(Level.WARNING, "Could not verify subkey signature of key " +
Long.toHexString(signature.getKeyID()) + " on key " + Long.toHexString(key.getKeyID()));
return false;
}
}
}
return false;
}
}
}

View file

@ -42,6 +42,10 @@ import org.bouncycastle.openpgp.PGPSignatureSubpacketVector;
import org.bouncycastle.openpgp.PGPUtil;
import org.bouncycastle.util.io.Streams;
import org.pgpainless.pgpainless.algorithm.KeyFlag;
import org.pgpainless.pgpainless.key.selection.key.PublicKeySelectionStrategy;
import org.pgpainless.pgpainless.key.selection.key.impl.And;
import org.pgpainless.pgpainless.key.selection.key.impl.NoRevocation;
import org.pgpainless.pgpainless.key.selection.key.impl.SignedByMasterKey;
public class BCUtil {
@ -113,7 +117,7 @@ public class BCUtil {
public static PGPPublicKeyRing getKeyRingFromCollection(PGPPublicKeyRingCollection collection, Long id)
throws PGPException {
return removeUnsignedKeysFromKeyRing(collection.getPublicKeyRing(id), id);
return removeUnassociatedKeysFromKeyRing(collection.getPublicKeyRing(id), id);
}
public static InputStream getPgpDecoderInputStream(byte[] bytes) throws IOException {
@ -136,21 +140,27 @@ public class BCUtil {
return getDecodedBytes(buffer.toByteArray());
}
public static PGPPublicKeyRing removeUnsignedKeysFromKeyRing(PGPPublicKeyRing ring, Long masterKeyId) {
/**
* Remove all keys from the key ring, are either not having a subkey signature from the master key
* (identified by {@code masterKeyId}), or are revoked ("normal" key revocation, as well as subkey revocation).
*
* @param ring key ring
* @param masterKeyId id of the master key
* @return "cleaned" key ring
*/
public static PGPPublicKeyRing removeUnassociatedKeysFromKeyRing(PGPPublicKeyRing ring, Long masterKeyId) {
Set<Long> signedKeyIds = new HashSet<>();
signedKeyIds.add(masterKeyId);
Iterator<PGPPublicKey> signedKeys = ring.getKeysWithSignaturesBy(masterKeyId);
while (signedKeys.hasNext()) {
signedKeyIds.add(signedKeys.next().getKeyID());
}
// Only select keys which are signed by the master key and not revoked.
PublicKeySelectionStrategy<Long> selector = new And.PubKeySelectionStrategy<>(
new SignedByMasterKey.PubkeySelectionStrategy(),
new NoRevocation.PubKeySelectionStrategy<>());
PGPPublicKeyRing cleaned = ring;
Iterator<PGPPublicKey> publicKeys = ring.getPublicKeys();
while (publicKeys.hasNext()) {
PGPPublicKey publicKey = publicKeys.next();
if (!signedKeyIds.contains(publicKey.getKeyID())) {
if (!selector.accept(masterKeyId, publicKey)) {
cleaned = PGPPublicKeyRing.removePublicKey(cleaned, publicKey);
}
}
@ -158,20 +168,27 @@ public class BCUtil {
return cleaned;
}
public static PGPSecretKeyRing removeUnsignedKeysFromKeyRing(PGPSecretKeyRing ring, Long masterKeyId) {
Set<Long> signedKeyIds = new HashSet<>();
signedKeyIds.add(masterKeyId);
Iterator<PGPPublicKey> signedKeys = ring.getKeysWithSignaturesBy(masterKeyId);
while (signedKeys.hasNext()) {
signedKeyIds.add(signedKeys.next().getKeyID());
}
/**
* Remove all keys from the key ring, are either not having a subkey signature from the master key
* (identified by {@code masterKeyId}), or are revoked ("normal" key revocation, as well as subkey revocation).
*
* @param ring key ring
* @param masterKeyId id of the master key
* @return "cleaned" key ring
*/
public static PGPSecretKeyRing removeUnassociatedKeysFromKeyRing(PGPSecretKeyRing ring, Long masterKeyId) {
// Only select keys which are signed by the master key and not revoked.
PublicKeySelectionStrategy<Long> selector = new And.PubKeySelectionStrategy<>(
new SignedByMasterKey.PubkeySelectionStrategy(),
new NoRevocation.PubKeySelectionStrategy<>());
PGPSecretKeyRing cleaned = ring;
Iterator<PGPSecretKey> secretKeys = ring.getSecretKeys();
while (secretKeys.hasNext()) {
PGPSecretKey secretKey = secretKeys.next();
if (!signedKeyIds.contains(secretKey.getKeyID())) {
if (!selector.accept(masterKeyId, secretKey.getPublicKey())) {
cleaned = PGPSecretKeyRing.removeSecretKey(cleaned, secretKey);
}
}
@ -179,11 +196,18 @@ public class BCUtil {
return cleaned;
}
/**
* Return the {@link PGPPublicKey} which is the master key of the key ring.
*
* @param ring key ring
* @return master key
*/
public static PGPPublicKey getMasterKeyFrom(PGPPublicKeyRing ring) {
Iterator<PGPPublicKey> it = ring.getPublicKeys();
while (it.hasNext()) {
PGPPublicKey k = it.next();
if (k.isMasterKey()) {
// There can only be one master key, so we can immediately return
return k;
}
}
@ -232,20 +256,10 @@ public class BCUtil {
}
public static boolean keyRingContainsKeyWithId(PGPPublicKeyRing ring, long keyId) {
Iterator<PGPPublicKey> keys = ring.getPublicKeys();
while (keys.hasNext()) {
PGPPublicKey key = keys.next();
if (key.getKeyID() == keyId) return true;
}
return false;
return ring.getPublicKey(keyId) != null;
}
public static boolean keyRingContainsKeyWithId(PGPSecretKeyRing ring, long keyId) {
Iterator<PGPPublicKey> keys = ring.getPublicKeys();
while (keys.hasNext()) {
PGPPublicKey key = keys.next();
if (key.getKeyID() == keyId) return true;
}
return false;
return ring.getSecretKey(keyId) != null;
}
}

View file

@ -119,7 +119,7 @@ public class BCUtilTest extends AbstractPGPainlessTest {
// Check, if alice_mallory contains mallory's key
assertNotNull(alice_mallory.getSecretKey(subKey.getKeyID()));
PGPSecretKeyRing cleaned = BCUtil.removeUnsignedKeysFromKeyRing(alice_mallory, alice.getPublicKey().getKeyID());
PGPSecretKeyRing cleaned = BCUtil.removeUnassociatedKeysFromKeyRing(alice_mallory, alice.getPublicKey().getKeyID());
assertNull(cleaned.getSecretKey(subKey.getKeyID()));
}
}