From 09fabd46083fff3c9625f114f2e9c2980f173ab3 Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Sun, 9 Jul 2023 13:43:44 +0200
Subject: [PATCH] Cleanup signature verification

---
 .../consumer/SignatureValidator.java          |  6 +-
 .../kotlin/org/pgpainless/wot/WebOfTrust.kt   | 83 +++++++++++++++++--
 2 files changed, 81 insertions(+), 8 deletions(-)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
index 27f99499..295af4f2 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java
@@ -182,8 +182,8 @@ public abstract class SignatureValidator {
      * @param signingKey signing key
      * @return validator
      */
-    private static SignatureValidator signatureUsesAcceptablePublicKeyAlgorithm(Policy policy,
-                                                                                PGPPublicKey signingKey) {
+    public static SignatureValidator signatureUsesAcceptablePublicKeyAlgorithm(Policy policy,
+                                                                        PGPPublicKey signingKey) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
@@ -207,7 +207,7 @@ public abstract class SignatureValidator {
      * @param policy policy
      * @return validator
      */
-    private static SignatureValidator signatureUsesAcceptableHashAlgorithm(Policy policy) {
+    public static SignatureValidator signatureUsesAcceptableHashAlgorithm(Policy policy) {
         return new SignatureValidator() {
             @Override
             public void verify(PGPSignature signature) throws SignatureValidationException {
diff --git a/pgpainless-wot/src/main/kotlin/org/pgpainless/wot/WebOfTrust.kt b/pgpainless-wot/src/main/kotlin/org/pgpainless/wot/WebOfTrust.kt
index e828aa51..767acf3f 100644
--- a/pgpainless-wot/src/main/kotlin/org/pgpainless/wot/WebOfTrust.kt
+++ b/pgpainless-wot/src/main/kotlin/org/pgpainless/wot/WebOfTrust.kt
@@ -8,6 +8,7 @@ import org.bouncycastle.openpgp.PGPPublicKey
 import org.bouncycastle.openpgp.PGPSignature
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.KeyFlag
+import org.pgpainless.algorithm.SignatureType
 import org.pgpainless.exception.SignatureValidationException
 import org.pgpainless.key.OpenPgpFingerprint
 import org.pgpainless.key.info.KeyRingInfo
@@ -15,7 +16,7 @@ import org.pgpainless.key.util.KeyRingUtils
 import org.pgpainless.key.util.RevocationAttributes
 import org.pgpainless.policy.Policy
 import org.pgpainless.signature.SignatureUtils
-import org.pgpainless.signature.consumer.SignatureVerifier
+import org.pgpainless.signature.consumer.SignatureValidator
 import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil
 import org.pgpainless.wot.network.*
 import org.pgpainless.wot.network.ReferenceTime.Companion.now
@@ -114,6 +115,8 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
             val expirationDate: Date? = try {
                 cert.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER)
             } catch (e: NoSuchElementException) {
+                LOGGER.warn("Could not deduce expiration time of ${cert.fingerprint}. " +
+                        "Possibly hard revoked cert or illegal algorithms? Skip certificate.");
                 // Some keys are malformed and have no KeyFlags
                 // TODO: We also end up here for expired keys unfortunately
                 return
@@ -193,8 +196,7 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
                 val issuer = nodeMap[issuerFingerprint]!!
 
                 try {
-                    val valid = SignatureVerifier.verifyDirectKeySignature(delegation, issuerSigningKey,
-                            targetPrimaryKey, policy, referenceTime.timestamp)
+                    val valid = verifyDelegation(candidate, delegation, issuerSigningKey, targetPrimaryKey, policy)
                     if (valid) {
                         networkBuilder.addEdge(fromDelegation(issuer, target, delegation))
                         return // we're done
@@ -207,6 +209,23 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
             }
         }
 
+        /**
+         * Verify a delegation signature over a primary key.
+         * This method returns true, if the signature is correct and well-formed.
+         * It does not reject expired or revoked signatures.
+         */
+        fun verifyDelegation(issuer: KeyRingInfo, signature: PGPSignature, signingKey: PGPPublicKey, signedKey: PGPPublicKey, policy: Policy): Boolean {
+            // Check signature type
+            SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION, SignatureType.DIRECT_KEY).verify(signature)
+
+            // common verification steps that are shared by delegations and certifications
+            verifyCommonSignatureCriteria(issuer, signature, signingKey, signedKey, policy)
+
+            // check signature correctness
+            SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature)
+            return true
+        }
+
         /**
          * Process a certification (third-party-issued certification over the given [userId])
          * and add it upon successful verification as an edge to the [Network.Builder].
@@ -231,8 +250,7 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
                 val issuer = nodeMap[issuerFingerprint]!!
 
                 try {
-                    val valid = SignatureVerifier.verifySignatureOverUserId(userId, certification,
-                            issuerSigningKey, targetPrimaryKey, policy, referenceTime.timestamp)
+                    val valid = verifyCertification(candidate, certification, issuerSigningKey, targetPrimaryKey, userId, policy)
                     if (valid) {
                         networkBuilder.addEdge(fromCertification(issuer, target, userId, certification))
                         return // we're done
@@ -244,6 +262,61 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
             }
         }
 
+        /**
+         * Verify a certification over a user-ID.
+         * This method returns true, if the signature is correct and well-formed.
+         * It does not reject expired or revoked signatures.
+         */
+        fun verifyCertification(issuer: KeyRingInfo, signature: PGPSignature, signingKey: PGPPublicKey, signedKey: PGPPublicKey, userId: String, policy: Policy): Boolean {
+            // check signature type
+            SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION, SignatureType.GENERIC_CERTIFICATION, SignatureType.NO_CERTIFICATION, SignatureType.CASUAL_CERTIFICATION, SignatureType.POSITIVE_CERTIFICATION).verify(signature)
+
+            // perform shared verification steps
+            verifyCommonSignatureCriteria(issuer, signature, signingKey, signedKey, policy)
+
+            // check correct signature
+            SignatureValidator.correctSignatureOverUserId(userId, signedKey, signingKey).verify(signature)
+            return true
+        }
+
+        fun verifyCommonSignatureCriteria(issuer: KeyRingInfo,
+                                          signature: PGPSignature,
+                                          signingKey: PGPPublicKey,
+                                          signedKey: PGPPublicKey,
+                                          policy: Policy): Boolean {
+            // Check for general "well-formed-ness" (has legal creation time)
+            SignatureValidator.signatureIsNotMalformed(signingKey).verify(signature)
+            // Check for unknown critical notations or subpackets
+            if (signature.version >= 4) {
+                SignatureValidator.signatureDoesNotHaveCriticalUnknownNotations(policy.notationRegistry).verify(signature)
+                SignatureValidator.signatureDoesNotHaveCriticalUnknownSubpackets().verify(signature)
+            }
+            // check for signature effectiveness at reference time (was created before reference time, is not expired)
+            SignatureValidator.signatureIsEffective(referenceTime.timestamp).verify(signature)
+            // check if signature is not invalidated by hard-revoked cert
+            if (issuer.revocationState == org.pgpainless.algorithm.RevocationState.hardRevoked()) {
+                // cert is hard revoked
+                throw SignatureValidationException("Signature is invalid because certificate ${issuer.fingerprint} is hard revoked.")
+            }
+            // check if signature is not invalidated by soft-revoked cert
+            if (issuer.revocationState.isSoftRevocation) {
+                SignatureValidator.signatureWasCreatedInBounds(issuer.creationDate, issuer.revocationDate).verify(signature)
+            }
+            // check if signature is not invalidated by expired primary key
+            val exp = issuer.primaryKeyExpirationDate
+            if (exp != null) {
+                SignatureValidator.signatureWasCreatedInBounds(issuer.creationDate, exp).verify(signature)
+            }
+            // check signature algorithms against our algorithm policy
+            SignatureValidator.signatureUsesAcceptableHashAlgorithm(policy).verify(signature)
+            SignatureValidator.signatureUsesAcceptablePublicKeyAlgorithm(policy, signingKey).verify(signature)
+
+            // check if signature is not created before the target key
+            SignatureValidator.signatureDoesNotPredateSignee(signedKey).verify(signature)
+
+            return true
+        }
+
         /**
          * Map an [OpenPgpFingerprint] to a [Fingerprint].
          *