1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-12-22 19:08:00 +01:00

Allow generation of keys with empty key flags.

Forbid certification of thirdparty certificates if CERTIFY_OTHERS flag is missing
This commit is contained in:
Paul Schaub 2023-10-09 12:02:10 +02:00
parent e7e269d7ce
commit 1b96919d84
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
8 changed files with 76 additions and 21 deletions

View file

@ -18,7 +18,7 @@ import org.bouncycastle.bcpg.sig.KeyFlags;
public enum KeyFlag {
/**
* This key may be used to certify other keys.
* This key may be used to certify third-party keys.
*/
CERTIFY_OTHER (KeyFlags.CERTIFY_OTHER),

View file

@ -67,6 +67,13 @@ public abstract class KeyException extends RuntimeException {
}
}
public static class UnacceptableThirdPartyCertificationKeyException extends KeyException {
public UnacceptableThirdPartyCertificationKeyException(@Nonnull OpenPgpFingerprint fingerprint) {
super("Key " + fingerprint + " has no acceptable certification key.", fingerprint);
}
}
public static class UnacceptableSelfSignatureException extends KeyException {
public UnacceptableSelfSignatureException(@Nonnull OpenPgpFingerprint fingerprint) {

View file

@ -280,6 +280,10 @@ public class CertifyCertificate {
throw new KeyException.RevokedKeyException(fingerprint);
}
if (!info.isUsableForThirdPartyCertification()) {
throw new KeyException.UnacceptableThirdPartyCertificationKeyException(fingerprint);
}
Date expirationDate = info.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER);
if (expirationDate != null && expirationDate.before(now)) {
throw new KeyException.ExpiredKeyException(fingerprint, expirationDate);

View file

@ -19,7 +19,6 @@ import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.bouncycastle.bcpg.sig.KeyFlags;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPKeyRingGenerator;
@ -128,19 +127,11 @@ public class KeyRingBuilder implements KeyRingBuilderInterface<KeyRingBuilder> {
}
private void verifyMasterKeyCanCertify(KeySpec spec) {
if (!hasCertifyOthersFlag(spec)) {
throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER");
}
if (!keyIsCertificationCapable(spec)) {
throw new IllegalArgumentException("Key algorithm " + spec.getKeyType().getName() + " is not capable of creating certifications.");
}
}
private boolean hasCertifyOthersFlag(KeySpec keySpec) {
KeyFlags keyFlags = keySpec.getSubpacketGenerator().getKeyFlagsSubpacket();
return keyFlags != null && KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.CERTIFY_OTHER);
}
private boolean keyIsCertificationCapable(KeySpec keySpec) {
return keySpec.getKeyType().canCertify();
}

View file

@ -56,7 +56,7 @@ public class KeySpec {
return keyCreationDate;
}
public static KeySpecBuilder getBuilder(KeyType type, KeyFlag flag, KeyFlag... flags) {
return new KeySpecBuilder(type, flag, flags);
public static KeySpecBuilder getBuilder(KeyType type, KeyFlag... flags) {
return new KeySpecBuilder(type, flags);
}
}

View file

@ -21,7 +21,6 @@ import org.pgpainless.key.generation.type.KeyType;
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
import org.pgpainless.signature.subpackets.SignatureSubpackets;
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
import org.pgpainless.util.CollectionUtils;
public class KeySpecBuilder implements KeySpecBuilderInterface {
@ -34,17 +33,14 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
private Set<SymmetricKeyAlgorithm> preferredSymmetricAlgorithms = algorithmSuite.getSymmetricKeyAlgorithms();
private Date keyCreationDate;
KeySpecBuilder(@Nonnull KeyType type, KeyFlag flag, KeyFlag... flags) {
if (flag == null) {
throw new IllegalArgumentException("Key MUST carry at least one key flag");
}
KeySpecBuilder(@Nonnull KeyType type, KeyFlag... flags) {
if (flags == null) {
throw new IllegalArgumentException("List of additional flags MUST NOT be null.");
this.keyFlags = new KeyFlag[0];
} else {
SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags);
this.keyFlags = flags;
}
flags = CollectionUtils.concat(flag, flags);
SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags);
this.type = type;
this.keyFlags = flags;
}
@Override

View file

@ -1170,6 +1170,10 @@ public class KeyRingInfo {
return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredCompressionAlgorithms();
}
public boolean isUsableForThirdPartyCertification() {
return isKeyValidlyBound(getKeyId()) && getKeyFlagsOf(getKeyId()).contains(KeyFlag.CERTIFY_OTHER);
}
/**
* Returns true, if the certificate has at least one usable encryption subkey.
*

View file

@ -0,0 +1,53 @@
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
package org.pgpainless.key.generation;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.junit.jupiter.api.Test;
import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.KeyFlag;
import org.pgpainless.exception.KeyException;
import org.pgpainless.key.TestKeys;
import org.pgpainless.key.generation.type.KeyType;
import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
import org.pgpainless.key.generation.type.xdh.XDHSpec;
import org.pgpainless.key.info.KeyRingInfo;
import org.pgpainless.key.protection.SecretKeyRingProtector;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
public class GenerateKeyWithoutPrimaryKeyFlagsTest {
@Test
public void generateKeyWithoutCertifyKeyFlag_cannotCertifyThirdParties() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing().setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)))
.addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
.addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS))
.addUserId("Alice")
.build();
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
assertTrue(info.getValidUserIds().contains("Alice"));
long primaryKeyId = info.getKeyId();
assertTrue(info.getKeyFlagsOf("Alice").isEmpty());
assertTrue(info.getKeyFlagsOf(primaryKeyId).isEmpty());
assertFalse(info.isUsableForThirdPartyCertification());
// Key without CERTIFY_OTHER flag cannot be used to certify other keys
PGPPublicKeyRing thirdPartyCert = TestKeys.getCryptiePublicKeyRing();
assertThrows(KeyException.UnacceptableThirdPartyCertificationKeyException.class, () ->
PGPainless.certify().certificate(thirdPartyCert)
.withKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()));
}
}