From 170aaaa0c58a1694f45d01b7bcba936678bdc711 Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Mon, 4 Jul 2022 11:05:16 +0200
Subject: [PATCH] Document KO protection utility class

---
 .../key/util/PublicKeyParameterValidationUtil.java       | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
index fbddb080..d3c7fe68 100644
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java
@@ -38,6 +38,15 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
 import org.pgpainless.exception.KeyIntegrityException;
 import org.pgpainless.implementation.ImplementationFactory;
 
+/**
+ * Utility class to verify keys against Key Overwriting (KO) attacks.
+ * This class of attacks is only possible if the attacker has access to the (encrypted) secret key material.
+ * To execute the attack, they would modify the unauthenticated parameters of the users public key.
+ * Using the modified public key in combination with the unmodified secret key material can then lead to the
+ * extraction of secret key parameters via weakly crafted messages.
+ *
+ * @see <a href="https://www.kopenpgp.com/">Key Overwriting (KO) Attacks against OpenPGP</a>
+ */
 public class PublicKeyParameterValidationUtil {
 
     public static void verifyPublicKeyParameterIntegrity(PGPPrivateKey privateKey, PGPPublicKey publicKey)