Allow generation of keys with empty key flags.
Forbid certification of thirdparty certificates if CERTIFY_OTHERS flag is missing
This commit is contained in:
parent
e7e269d7ce
commit
1b96919d84
GPG Key ID:
62BEE9264BF17311
|
|
@ -18,7 +18,7 @@ import org.bouncycastle.bcpg.sig.KeyFlags;
|
|||
public enum KeyFlag {
|
||||
|
||||
/**
|
||||
* This key may be used to certify other keys.
|
||||
* This key may be used to certify third-party keys.
|
||||
*/
|
||||
CERTIFY_OTHER (KeyFlags.CERTIFY_OTHER),
|
||||
|
||||
|
|
|
|||
|
|
@ -67,6 +67,13 @@ public abstract class KeyException extends RuntimeException {
|
|||
}
|
||||
}
|
||||
|
||||
public static class UnacceptableThirdPartyCertificationKeyException extends KeyException {
|
||||
|
||||
public UnacceptableThirdPartyCertificationKeyException(@Nonnull OpenPgpFingerprint fingerprint) {
|
||||
super("Key " + fingerprint + " has no acceptable certification key.", fingerprint);
|
||||
}
|
||||
}
|
||||
|
||||
public static class UnacceptableSelfSignatureException extends KeyException {
|
||||
|
||||
public UnacceptableSelfSignatureException(@Nonnull OpenPgpFingerprint fingerprint) {
|
||||
|
|
|
|||
|
|
@ -280,6 +280,10 @@ public class CertifyCertificate {
|
|||
throw new KeyException.RevokedKeyException(fingerprint);
|
||||
}
|
||||
|
||||
if (!info.isUsableForThirdPartyCertification()) {
|
||||
throw new KeyException.UnacceptableThirdPartyCertificationKeyException(fingerprint);
|
||||
}
|
||||
|
||||
Date expirationDate = info.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER);
|
||||
if (expirationDate != null && expirationDate.before(now)) {
|
||||
throw new KeyException.ExpiredKeyException(fingerprint, expirationDate);
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ import java.util.Map;
|
|||
import javax.annotation.Nonnull;
|
||||
import javax.annotation.Nullable;
|
||||
|
||||
import org.bouncycastle.bcpg.sig.KeyFlags;
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPKeyPair;
|
||||
import org.bouncycastle.openpgp.PGPKeyRingGenerator;
|
||||
|
|
@ -128,19 +127,11 @@ public class KeyRingBuilder implements KeyRingBuilderInterface<KeyRingBuilder> {
|
|||
}
|
||||
|
||||
private void verifyMasterKeyCanCertify(KeySpec spec) {
|
||||
if (!hasCertifyOthersFlag(spec)) {
|
||||
throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER");
|
||||
}
|
||||
if (!keyIsCertificationCapable(spec)) {
|
||||
throw new IllegalArgumentException("Key algorithm " + spec.getKeyType().getName() + " is not capable of creating certifications.");
|
||||
}
|
||||
}
|
||||
|
||||
private boolean hasCertifyOthersFlag(KeySpec keySpec) {
|
||||
KeyFlags keyFlags = keySpec.getSubpacketGenerator().getKeyFlagsSubpacket();
|
||||
return keyFlags != null && KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.CERTIFY_OTHER);
|
||||
}
|
||||
|
||||
private boolean keyIsCertificationCapable(KeySpec keySpec) {
|
||||
return keySpec.getKeyType().canCertify();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ public class KeySpec {
|
|||
return keyCreationDate;
|
||||
}
|
||||
|
||||
public static KeySpecBuilder getBuilder(KeyType type, KeyFlag flag, KeyFlag... flags) {
|
||||
return new KeySpecBuilder(type, flag, flags);
|
||||
public static KeySpecBuilder getBuilder(KeyType type, KeyFlag... flags) {
|
||||
return new KeySpecBuilder(type, flags);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ import org.pgpainless.key.generation.type.KeyType;
|
|||
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
|
||||
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
||||
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
||||
import org.pgpainless.util.CollectionUtils;
|
||||
|
||||
public class KeySpecBuilder implements KeySpecBuilderInterface {
|
||||
|
||||
|
|
@ -34,17 +33,14 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
|
|||
private Set<SymmetricKeyAlgorithm> preferredSymmetricAlgorithms = algorithmSuite.getSymmetricKeyAlgorithms();
|
||||
private Date keyCreationDate;
|
||||
|
||||
KeySpecBuilder(@Nonnull KeyType type, KeyFlag flag, KeyFlag... flags) {
|
||||
if (flag == null) {
|
||||
throw new IllegalArgumentException("Key MUST carry at least one key flag");
|
||||
}
|
||||
KeySpecBuilder(@Nonnull KeyType type, KeyFlag... flags) {
|
||||
if (flags == null) {
|
||||
throw new IllegalArgumentException("List of additional flags MUST NOT be null.");
|
||||
this.keyFlags = new KeyFlag[0];
|
||||
} else {
|
||||
SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags);
|
||||
this.keyFlags = flags;
|
||||
}
|
||||
flags = CollectionUtils.concat(flag, flags);
|
||||
SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags);
|
||||
this.type = type;
|
||||
this.keyFlags = flags;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -1170,6 +1170,10 @@ public class KeyRingInfo {
|
|||
return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredCompressionAlgorithms();
|
||||
}
|
||||
|
||||
public boolean isUsableForThirdPartyCertification() {
|
||||
return isKeyValidlyBound(getKeyId()) && getKeyFlagsOf(getKeyId()).contains(KeyFlag.CERTIFY_OTHER);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true, if the certificate has at least one usable encryption subkey.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -0,0 +1,53 @@
|
|||
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package org.pgpainless.key.generation;
|
||||
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
||||
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.algorithm.KeyFlag;
|
||||
import org.pgpainless.exception.KeyException;
|
||||
import org.pgpainless.key.TestKeys;
|
||||
import org.pgpainless.key.generation.type.KeyType;
|
||||
import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
|
||||
import org.pgpainless.key.generation.type.xdh.XDHSpec;
|
||||
import org.pgpainless.key.info.KeyRingInfo;
|
||||
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||
|
||||
public class GenerateKeyWithoutPrimaryKeyFlagsTest {
|
||||
|
||||
@Test
|
||||
public void generateKeyWithoutCertifyKeyFlag_cannotCertifyThirdParties() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
|
||||
PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing().setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)))
|
||||
.addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
|
||||
.addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS))
|
||||
.addUserId("Alice")
|
||||
.build();
|
||||
|
||||
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
|
||||
assertTrue(info.getValidUserIds().contains("Alice"));
|
||||
|
||||
long primaryKeyId = info.getKeyId();
|
||||
assertTrue(info.getKeyFlagsOf("Alice").isEmpty());
|
||||
assertTrue(info.getKeyFlagsOf(primaryKeyId).isEmpty());
|
||||
assertFalse(info.isUsableForThirdPartyCertification());
|
||||
|
||||
// Key without CERTIFY_OTHER flag cannot be used to certify other keys
|
||||
PGPPublicKeyRing thirdPartyCert = TestKeys.getCryptiePublicKeyRing();
|
||||
assertThrows(KeyException.UnacceptableThirdPartyCertificationKeyException.class, () ->
|
||||
PGPainless.certify().certificate(thirdPartyCert)
|
||||
.withKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()));
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue