mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-11-19 02:42:05 +01:00
Allow generation of keys with empty key flags.
Forbid certification of thirdparty certificates if CERTIFY_OTHERS flag is missing
This commit is contained in:
parent
e7e269d7ce
commit
1b96919d84
8 changed files with 76 additions and 21 deletions
|
@ -18,7 +18,7 @@ import org.bouncycastle.bcpg.sig.KeyFlags;
|
||||||
public enum KeyFlag {
|
public enum KeyFlag {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This key may be used to certify other keys.
|
* This key may be used to certify third-party keys.
|
||||||
*/
|
*/
|
||||||
CERTIFY_OTHER (KeyFlags.CERTIFY_OTHER),
|
CERTIFY_OTHER (KeyFlags.CERTIFY_OTHER),
|
||||||
|
|
||||||
|
|
|
@ -67,6 +67,13 @@ public abstract class KeyException extends RuntimeException {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static class UnacceptableThirdPartyCertificationKeyException extends KeyException {
|
||||||
|
|
||||||
|
public UnacceptableThirdPartyCertificationKeyException(@Nonnull OpenPgpFingerprint fingerprint) {
|
||||||
|
super("Key " + fingerprint + " has no acceptable certification key.", fingerprint);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public static class UnacceptableSelfSignatureException extends KeyException {
|
public static class UnacceptableSelfSignatureException extends KeyException {
|
||||||
|
|
||||||
public UnacceptableSelfSignatureException(@Nonnull OpenPgpFingerprint fingerprint) {
|
public UnacceptableSelfSignatureException(@Nonnull OpenPgpFingerprint fingerprint) {
|
||||||
|
|
|
@ -280,6 +280,10 @@ public class CertifyCertificate {
|
||||||
throw new KeyException.RevokedKeyException(fingerprint);
|
throw new KeyException.RevokedKeyException(fingerprint);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!info.isUsableForThirdPartyCertification()) {
|
||||||
|
throw new KeyException.UnacceptableThirdPartyCertificationKeyException(fingerprint);
|
||||||
|
}
|
||||||
|
|
||||||
Date expirationDate = info.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER);
|
Date expirationDate = info.getExpirationDateForUse(KeyFlag.CERTIFY_OTHER);
|
||||||
if (expirationDate != null && expirationDate.before(now)) {
|
if (expirationDate != null && expirationDate.before(now)) {
|
||||||
throw new KeyException.ExpiredKeyException(fingerprint, expirationDate);
|
throw new KeyException.ExpiredKeyException(fingerprint, expirationDate);
|
||||||
|
|
|
@ -19,7 +19,6 @@ import java.util.Map;
|
||||||
import javax.annotation.Nonnull;
|
import javax.annotation.Nonnull;
|
||||||
import javax.annotation.Nullable;
|
import javax.annotation.Nullable;
|
||||||
|
|
||||||
import org.bouncycastle.bcpg.sig.KeyFlags;
|
|
||||||
import org.bouncycastle.openpgp.PGPException;
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
import org.bouncycastle.openpgp.PGPKeyPair;
|
import org.bouncycastle.openpgp.PGPKeyPair;
|
||||||
import org.bouncycastle.openpgp.PGPKeyRingGenerator;
|
import org.bouncycastle.openpgp.PGPKeyRingGenerator;
|
||||||
|
@ -128,19 +127,11 @@ public class KeyRingBuilder implements KeyRingBuilderInterface<KeyRingBuilder> {
|
||||||
}
|
}
|
||||||
|
|
||||||
private void verifyMasterKeyCanCertify(KeySpec spec) {
|
private void verifyMasterKeyCanCertify(KeySpec spec) {
|
||||||
if (!hasCertifyOthersFlag(spec)) {
|
|
||||||
throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER");
|
|
||||||
}
|
|
||||||
if (!keyIsCertificationCapable(spec)) {
|
if (!keyIsCertificationCapable(spec)) {
|
||||||
throw new IllegalArgumentException("Key algorithm " + spec.getKeyType().getName() + " is not capable of creating certifications.");
|
throw new IllegalArgumentException("Key algorithm " + spec.getKeyType().getName() + " is not capable of creating certifications.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean hasCertifyOthersFlag(KeySpec keySpec) {
|
|
||||||
KeyFlags keyFlags = keySpec.getSubpacketGenerator().getKeyFlagsSubpacket();
|
|
||||||
return keyFlags != null && KeyFlag.hasKeyFlag(keyFlags.getFlags(), KeyFlag.CERTIFY_OTHER);
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean keyIsCertificationCapable(KeySpec keySpec) {
|
private boolean keyIsCertificationCapable(KeySpec keySpec) {
|
||||||
return keySpec.getKeyType().canCertify();
|
return keySpec.getKeyType().canCertify();
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,7 +56,7 @@ public class KeySpec {
|
||||||
return keyCreationDate;
|
return keyCreationDate;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static KeySpecBuilder getBuilder(KeyType type, KeyFlag flag, KeyFlag... flags) {
|
public static KeySpecBuilder getBuilder(KeyType type, KeyFlag... flags) {
|
||||||
return new KeySpecBuilder(type, flag, flags);
|
return new KeySpecBuilder(type, flags);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,7 +21,6 @@ import org.pgpainless.key.generation.type.KeyType;
|
||||||
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
|
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
||||||
import org.pgpainless.util.CollectionUtils;
|
|
||||||
|
|
||||||
public class KeySpecBuilder implements KeySpecBuilderInterface {
|
public class KeySpecBuilder implements KeySpecBuilderInterface {
|
||||||
|
|
||||||
|
@ -34,18 +33,15 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
|
||||||
private Set<SymmetricKeyAlgorithm> preferredSymmetricAlgorithms = algorithmSuite.getSymmetricKeyAlgorithms();
|
private Set<SymmetricKeyAlgorithm> preferredSymmetricAlgorithms = algorithmSuite.getSymmetricKeyAlgorithms();
|
||||||
private Date keyCreationDate;
|
private Date keyCreationDate;
|
||||||
|
|
||||||
KeySpecBuilder(@Nonnull KeyType type, KeyFlag flag, KeyFlag... flags) {
|
KeySpecBuilder(@Nonnull KeyType type, KeyFlag... flags) {
|
||||||
if (flag == null) {
|
|
||||||
throw new IllegalArgumentException("Key MUST carry at least one key flag");
|
|
||||||
}
|
|
||||||
if (flags == null) {
|
if (flags == null) {
|
||||||
throw new IllegalArgumentException("List of additional flags MUST NOT be null.");
|
this.keyFlags = new KeyFlag[0];
|
||||||
}
|
} else {
|
||||||
flags = CollectionUtils.concat(flag, flags);
|
|
||||||
SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags);
|
SignatureSubpacketsUtil.assureKeyCanCarryFlags(type, flags);
|
||||||
this.type = type;
|
|
||||||
this.keyFlags = flags;
|
this.keyFlags = flags;
|
||||||
}
|
}
|
||||||
|
this.type = type;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public KeySpecBuilder overridePreferredCompressionAlgorithms(
|
public KeySpecBuilder overridePreferredCompressionAlgorithms(
|
||||||
|
|
|
@ -1170,6 +1170,10 @@ public class KeyRingInfo {
|
||||||
return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredCompressionAlgorithms();
|
return new KeyAccessor.SubKey(this, new SubkeyIdentifier(keys, keyId)).getPreferredCompressionAlgorithms();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public boolean isUsableForThirdPartyCertification() {
|
||||||
|
return isKeyValidlyBound(getKeyId()) && getKeyFlagsOf(getKeyId()).contains(KeyFlag.CERTIFY_OTHER);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns true, if the certificate has at least one usable encryption subkey.
|
* Returns true, if the certificate has at least one usable encryption subkey.
|
||||||
*
|
*
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
|
||||||
|
//
|
||||||
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
package org.pgpainless.key.generation;
|
||||||
|
|
||||||
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
|
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
||||||
|
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
import org.pgpainless.PGPainless;
|
||||||
|
import org.pgpainless.algorithm.KeyFlag;
|
||||||
|
import org.pgpainless.exception.KeyException;
|
||||||
|
import org.pgpainless.key.TestKeys;
|
||||||
|
import org.pgpainless.key.generation.type.KeyType;
|
||||||
|
import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
|
||||||
|
import org.pgpainless.key.generation.type.xdh.XDHSpec;
|
||||||
|
import org.pgpainless.key.info.KeyRingInfo;
|
||||||
|
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.InvalidAlgorithmParameterException;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||||
|
|
||||||
|
public class GenerateKeyWithoutPrimaryKeyFlagsTest {
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void generateKeyWithoutCertifyKeyFlag_cannotCertifyThirdParties() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
|
||||||
|
PGPSecretKeyRing secretKeys = PGPainless.buildKeyRing().setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519)))
|
||||||
|
.addSubkey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.SIGN_DATA))
|
||||||
|
.addSubkey(KeySpec.getBuilder(KeyType.XDH(XDHSpec._X25519), KeyFlag.ENCRYPT_STORAGE, KeyFlag.ENCRYPT_COMMS))
|
||||||
|
.addUserId("Alice")
|
||||||
|
.build();
|
||||||
|
|
||||||
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
|
||||||
|
assertTrue(info.getValidUserIds().contains("Alice"));
|
||||||
|
|
||||||
|
long primaryKeyId = info.getKeyId();
|
||||||
|
assertTrue(info.getKeyFlagsOf("Alice").isEmpty());
|
||||||
|
assertTrue(info.getKeyFlagsOf(primaryKeyId).isEmpty());
|
||||||
|
assertFalse(info.isUsableForThirdPartyCertification());
|
||||||
|
|
||||||
|
// Key without CERTIFY_OTHER flag cannot be used to certify other keys
|
||||||
|
PGPPublicKeyRing thirdPartyCert = TestKeys.getCryptiePublicKeyRing();
|
||||||
|
assertThrows(KeyException.UnacceptableThirdPartyCertificationKeyException.class, () ->
|
||||||
|
PGPainless.certify().certificate(thirdPartyCert)
|
||||||
|
.withKey(secretKeys, SecretKeyRingProtector.unprotectedKeys()));
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue