Refactor signature checks

2024-06-16 08:34:53 +02:00 · 2023-07-10 17:54:58 +02:00 · 2023-07-10 17:54:58 +02:00 · 35a01a16da
parent c4b4c13d9b
commit 35a01a16da
1 changed files with 21 additions and 44 deletions
--- a/pgpainless-wot/src/main/kotlin/org/pgpainless/wot/WebOfTrust.kt
+++ b/pgpainless-wot/src/main/kotlin/org/pgpainless/wot/WebOfTrust.kt
@ -196,11 +196,15 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
                val issuer = nodeMap[issuerFingerprint]!!

                try {
-                    val valid = verifyDelegation(candidate, delegation, issuerSigningKey, targetPrimaryKey, policy)
-                    if (valid) {
-                        networkBuilder.addEdge(fromDelegation(issuer, target, delegation))
-                        return // we're done
-                    }
+                    // Check signature type
+                    SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION, SignatureType.DIRECT_KEY).verify(delegation)
+                    // common verification steps that are shared by delegations and certifications
+                    verifyCommonSignatureCriteria(candidate, delegation, issuerSigningKey, targetPrimaryKey, policy)
+                    // check signature correctness
+                    SignatureValidator.correctSignatureOverKey(issuerSigningKey, targetPrimaryKey).verify(delegation)
+                    // only add the edge if the above checks did not throw
+                    networkBuilder.addEdge(fromDelegation(issuer, target, delegation))
+                    return // we're done
                } catch (e: SignatureValidationException) {
                    val targetFingerprint = OpenPgpFingerprint.of(targetPrimaryKey)
                    LOGGER.warn("Cannot verify signature by $issuerFingerprint" +
@ -209,23 +213,6 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
            }
        }

-        /**
-         * Verify a delegation signature over a primary key.
-         * This method returns true, if the signature is correct and well-formed.
-         * It does not reject expired or revoked signatures.
-         */
-        fun verifyDelegation(issuer: KeyRingInfo, signature: PGPSignature, signingKey: PGPPublicKey, signedKey: PGPPublicKey, policy: Policy): Boolean {
-            // Check signature type
-            SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION, SignatureType.DIRECT_KEY).verify(signature)
-
-            // common verification steps that are shared by delegations and certifications
-            verifyCommonSignatureCriteria(issuer, signature, signingKey, signedKey, policy)
-
-            // check signature correctness
-            SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature)
-            return true
-        }
-
        /**
         * Process a certification (third-party-issued certification over the given [userId])
         * and add it upon successful verification as an edge to the [Network.Builder].
@ -250,11 +237,18 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
                val issuer = nodeMap[issuerFingerprint]!!

                try {
-                    val valid = verifyCertification(candidate, certification, issuerSigningKey, targetPrimaryKey, userId, policy)
-                    if (valid) {
-                        networkBuilder.addEdge(fromCertification(issuer, target, userId, certification))
-                        return // we're done
-                    }
+                    // check signature type
+                    SignatureValidator.signatureIsOfType(
+                            SignatureType.CERTIFICATION_REVOCATION, SignatureType.GENERIC_CERTIFICATION,
+                            SignatureType.NO_CERTIFICATION, SignatureType.CASUAL_CERTIFICATION,
+                            SignatureType.POSITIVE_CERTIFICATION).verify(certification)
+                    // perform shared verification steps
+                    verifyCommonSignatureCriteria(candidate, certification, issuerSigningKey, targetPrimaryKey, policy)
+                    // check correct signature
+                    SignatureValidator.correctSignatureOverUserId(userId, issuerSigningKey, targetPrimaryKey).verify(certification)
+                    // Only add the edge, if the above checks did not throw
+                    networkBuilder.addEdge(fromCertification(issuer, target, userId, certification))
+                    return // we're done
                } catch (e: SignatureValidationException) {
                    LOGGER.warn("Cannot verify signature for '$userId' by $issuerFingerprint" +
                            " on cert of ${target.fingerprint}", e)
@ -262,23 +256,6 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
            }
        }

-        /**
-         * Verify a certification over a user-ID.
-         * This method returns true, if the signature is correct and well-formed.
-         * It does not reject expired or revoked signatures.
-         */
-        fun verifyCertification(issuer: KeyRingInfo, signature: PGPSignature, signingKey: PGPPublicKey, signedKey: PGPPublicKey, userId: String, policy: Policy): Boolean {
-            // check signature type
-            SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION, SignatureType.GENERIC_CERTIFICATION, SignatureType.NO_CERTIFICATION, SignatureType.CASUAL_CERTIFICATION, SignatureType.POSITIVE_CERTIFICATION).verify(signature)
-
-            // perform shared verification steps
-            verifyCommonSignatureCriteria(issuer, signature, signingKey, signedKey, policy)
-
-            // check correct signature
-            SignatureValidator.correctSignatureOverUserId(userId, signedKey, signingKey).verify(signature)
-            return true
-        }
-
        fun verifyCommonSignatureCriteria(issuer: KeyRingInfo,
                                          signature: PGPSignature,
                                          signingKey: PGPPublicKey,