1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-12-25 04:17:59 +01:00

Refactor signature checks

This commit is contained in:
Paul Schaub 2023-07-10 17:54:58 +02:00
parent c4b4c13d9b
commit 35a01a16da
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311

View file

@ -196,11 +196,15 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
val issuer = nodeMap[issuerFingerprint]!! val issuer = nodeMap[issuerFingerprint]!!
try { try {
val valid = verifyDelegation(candidate, delegation, issuerSigningKey, targetPrimaryKey, policy) // Check signature type
if (valid) { SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION, SignatureType.DIRECT_KEY).verify(delegation)
networkBuilder.addEdge(fromDelegation(issuer, target, delegation)) // common verification steps that are shared by delegations and certifications
return // we're done verifyCommonSignatureCriteria(candidate, delegation, issuerSigningKey, targetPrimaryKey, policy)
} // check signature correctness
SignatureValidator.correctSignatureOverKey(issuerSigningKey, targetPrimaryKey).verify(delegation)
// only add the edge if the above checks did not throw
networkBuilder.addEdge(fromDelegation(issuer, target, delegation))
return // we're done
} catch (e: SignatureValidationException) { } catch (e: SignatureValidationException) {
val targetFingerprint = OpenPgpFingerprint.of(targetPrimaryKey) val targetFingerprint = OpenPgpFingerprint.of(targetPrimaryKey)
LOGGER.warn("Cannot verify signature by $issuerFingerprint" + LOGGER.warn("Cannot verify signature by $issuerFingerprint" +
@ -209,23 +213,6 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
} }
} }
/**
* Verify a delegation signature over a primary key.
* This method returns true, if the signature is correct and well-formed.
* It does not reject expired or revoked signatures.
*/
fun verifyDelegation(issuer: KeyRingInfo, signature: PGPSignature, signingKey: PGPPublicKey, signedKey: PGPPublicKey, policy: Policy): Boolean {
// Check signature type
SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION, SignatureType.DIRECT_KEY).verify(signature)
// common verification steps that are shared by delegations and certifications
verifyCommonSignatureCriteria(issuer, signature, signingKey, signedKey, policy)
// check signature correctness
SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature)
return true
}
/** /**
* Process a certification (third-party-issued certification over the given [userId]) * Process a certification (third-party-issued certification over the given [userId])
* and add it upon successful verification as an edge to the [Network.Builder]. * and add it upon successful verification as an edge to the [Network.Builder].
@ -250,11 +237,18 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
val issuer = nodeMap[issuerFingerprint]!! val issuer = nodeMap[issuerFingerprint]!!
try { try {
val valid = verifyCertification(candidate, certification, issuerSigningKey, targetPrimaryKey, userId, policy) // check signature type
if (valid) { SignatureValidator.signatureIsOfType(
networkBuilder.addEdge(fromCertification(issuer, target, userId, certification)) SignatureType.CERTIFICATION_REVOCATION, SignatureType.GENERIC_CERTIFICATION,
return // we're done SignatureType.NO_CERTIFICATION, SignatureType.CASUAL_CERTIFICATION,
} SignatureType.POSITIVE_CERTIFICATION).verify(certification)
// perform shared verification steps
verifyCommonSignatureCriteria(candidate, certification, issuerSigningKey, targetPrimaryKey, policy)
// check correct signature
SignatureValidator.correctSignatureOverUserId(userId, issuerSigningKey, targetPrimaryKey).verify(certification)
// Only add the edge, if the above checks did not throw
networkBuilder.addEdge(fromCertification(issuer, target, userId, certification))
return // we're done
} catch (e: SignatureValidationException) { } catch (e: SignatureValidationException) {
LOGGER.warn("Cannot verify signature for '$userId' by $issuerFingerprint" + LOGGER.warn("Cannot verify signature for '$userId' by $issuerFingerprint" +
" on cert of ${target.fingerprint}", e) " on cert of ${target.fingerprint}", e)
@ -262,23 +256,6 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
} }
} }
/**
* Verify a certification over a user-ID.
* This method returns true, if the signature is correct and well-formed.
* It does not reject expired or revoked signatures.
*/
fun verifyCertification(issuer: KeyRingInfo, signature: PGPSignature, signingKey: PGPPublicKey, signedKey: PGPPublicKey, userId: String, policy: Policy): Boolean {
// check signature type
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION, SignatureType.GENERIC_CERTIFICATION, SignatureType.NO_CERTIFICATION, SignatureType.CASUAL_CERTIFICATION, SignatureType.POSITIVE_CERTIFICATION).verify(signature)
// perform shared verification steps
verifyCommonSignatureCriteria(issuer, signature, signingKey, signedKey, policy)
// check correct signature
SignatureValidator.correctSignatureOverUserId(userId, signedKey, signingKey).verify(signature)
return true
}
fun verifyCommonSignatureCriteria(issuer: KeyRingInfo, fun verifyCommonSignatureCriteria(issuer: KeyRingInfo,
signature: PGPSignature, signature: PGPSignature,
signingKey: PGPPublicKey, signingKey: PGPPublicKey,