mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-23 03:17:58 +01:00
Separate Signature verification methods out of SignatureValidator into SignatureVerifier
This commit is contained in:
parent
8c3b694a71
commit
3abb796220
6 changed files with 529 additions and 473 deletions
|
@ -33,7 +33,7 @@ import org.pgpainless.exception.SignatureValidationException;
|
|||
import org.pgpainless.implementation.ImplementationFactory;
|
||||
import org.pgpainless.policy.Policy;
|
||||
import org.pgpainless.signature.SignatureCreationDateComparator;
|
||||
import org.pgpainless.signature.SignatureValidator;
|
||||
import org.pgpainless.signature.SignatureVerifier;
|
||||
import org.pgpainless.util.CollectionUtils;
|
||||
|
||||
public final class KeyRingValidator {
|
||||
|
@ -77,7 +77,7 @@ public final class KeyRingValidator {
|
|||
Collections.sort(directKeyCertifications, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
|
||||
for (PGPSignature signature : directKeyCertifications) {
|
||||
try {
|
||||
if (SignatureValidator.verifyDirectKeySignature(signature, blank, policy, validationDate)) {
|
||||
if (SignatureVerifier.verifyDirectKeySignature(signature, blank, policy, validationDate)) {
|
||||
blank = PGPPublicKey.addCertification(blank, signature);
|
||||
}
|
||||
} catch (SignatureValidationException e) {
|
||||
|
@ -90,7 +90,7 @@ public final class KeyRingValidator {
|
|||
Collections.sort(directKeyRevocations, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
|
||||
for (PGPSignature signature : directKeyRevocations) {
|
||||
try {
|
||||
if (SignatureValidator.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate)) {
|
||||
if (SignatureVerifier.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate)) {
|
||||
blank = PGPPublicKey.addCertification(blank, signature);
|
||||
}
|
||||
} catch (SignatureValidationException e) {
|
||||
|
@ -107,11 +107,11 @@ public final class KeyRingValidator {
|
|||
for (PGPSignature signature : signatures) {
|
||||
try {
|
||||
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
|
||||
if (SignatureValidator.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
|
||||
if (SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
|
||||
blank = PGPPublicKey.addCertification(blank, userId, signature);
|
||||
}
|
||||
} else {
|
||||
if (SignatureValidator.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate)) {
|
||||
if (SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate)) {
|
||||
blank = PGPPublicKey.addCertification(blank, userId, signature);
|
||||
}
|
||||
}
|
||||
|
@ -129,11 +129,11 @@ public final class KeyRingValidator {
|
|||
PGPSignature signature = userAttributeSignatureIterator.next();
|
||||
try {
|
||||
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
|
||||
if (SignatureValidator.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {
|
||||
if (SignatureVerifier.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {
|
||||
blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
|
||||
}
|
||||
} else {
|
||||
if (SignatureValidator.verifyUserAttributesCertification(userAttribute, signature, primaryKey, policy, validationDate)) {
|
||||
if (SignatureVerifier.verifyUserAttributesCertification(userAttribute, signature, primaryKey, policy, validationDate)) {
|
||||
blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
*/
|
||||
package org.pgpainless.signature;
|
||||
|
||||
import static org.pgpainless.signature.SignatureValidator.verifyOnePassSignature;
|
||||
import static org.pgpainless.signature.SignatureVerifier.verifyOnePassSignature;
|
||||
|
||||
import java.io.InputStream;
|
||||
import java.util.ArrayList;
|
||||
|
@ -40,9 +40,7 @@ import org.pgpainless.policy.Policy;
|
|||
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
||||
|
||||
/**
|
||||
* This class implements validity checks on OpenPGP signatures.
|
||||
* Its responsibilities are checking if a signing key was eligible to create a certain signature
|
||||
* and if the signature is valid at the time of validation.
|
||||
* A collection of static methods that validate signing certificates (public keys) and verify signature correctness.
|
||||
*/
|
||||
public final class CertificateValidator {
|
||||
|
||||
|
@ -85,7 +83,7 @@ public final class CertificateValidator {
|
|||
while (primaryKeyRevocationIterator.hasNext()) {
|
||||
PGPSignature revocation = primaryKeyRevocationIterator.next();
|
||||
try {
|
||||
if (SignatureValidator.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) {
|
||||
if (SignatureVerifier.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) {
|
||||
directKeySignatures.add(revocation);
|
||||
}
|
||||
} catch (SignatureValidationException e) {
|
||||
|
@ -99,7 +97,7 @@ public final class CertificateValidator {
|
|||
while (keySignatures.hasNext()) {
|
||||
PGPSignature keySignature = keySignatures.next();
|
||||
try {
|
||||
if (SignatureValidator.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) {
|
||||
if (SignatureVerifier.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) {
|
||||
directKeySignatures.add(keySignature);
|
||||
}
|
||||
} catch (SignatureValidationException e) {
|
||||
|
@ -125,7 +123,7 @@ public final class CertificateValidator {
|
|||
while (userIdSigs.hasNext()) {
|
||||
PGPSignature userIdSig = userIdSigs.next();
|
||||
try {
|
||||
if (SignatureValidator.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) {
|
||||
if (SignatureVerifier.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) {
|
||||
signaturesOnUserId.add(userIdSig);
|
||||
}
|
||||
} catch (SignatureValidationException e) {
|
||||
|
@ -175,7 +173,7 @@ public final class CertificateValidator {
|
|||
while (bindingRevocations.hasNext()) {
|
||||
PGPSignature revocation = bindingRevocations.next();
|
||||
try {
|
||||
if (SignatureValidator.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
||||
if (SignatureVerifier.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
||||
subkeySigs.add(revocation);
|
||||
}
|
||||
} catch (SignatureValidationException e) {
|
||||
|
@ -188,7 +186,7 @@ public final class CertificateValidator {
|
|||
while (bindingSigs.hasNext()) {
|
||||
PGPSignature bindingSig = bindingSigs.next();
|
||||
try {
|
||||
if (SignatureValidator.verifySubkeyBindingSignature(bindingSig, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
||||
if (SignatureVerifier.verifySubkeyBindingSignature(bindingSig, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
||||
subkeySigs.add(bindingSig);
|
||||
}
|
||||
} catch (SignatureValidationException e) {
|
||||
|
@ -244,7 +242,7 @@ public final class CertificateValidator {
|
|||
throws SignatureValidationException {
|
||||
validateCertificate(signature, signingKeyRing, policy);
|
||||
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
||||
return SignatureValidator.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(keyId), policy, validationDate);
|
||||
return SignatureVerifier.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(keyId), policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -262,10 +260,19 @@ public final class CertificateValidator {
|
|||
validateCertificate(signature, verificationKeys, policy);
|
||||
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
||||
PGPPublicKey signingKey = verificationKeys.getPublicKey(keyId);
|
||||
SignatureValidator.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
|
||||
SignatureVerifier.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate the signing key certificate and the given {@link OnePassSignature}.
|
||||
*
|
||||
* @param signature OpenPGP signature from the signed message
|
||||
* @param onePassSignature corresponding one-pass-signature
|
||||
* @param policy policy
|
||||
* @return true if the certificate is valid and the signature is correct, false otherwise.
|
||||
* @throws SignatureValidationException in case of a validation error
|
||||
*/
|
||||
public static boolean validateCertificateAndVerifyOnePassSignature(PGPSignature signature, OnePassSignature onePassSignature, Policy policy)
|
||||
throws SignatureValidationException {
|
||||
validateCertificate(signature, onePassSignature.getVerificationKeys(), policy);
|
||||
|
|
|
@ -63,7 +63,7 @@ public final class SignaturePicker {
|
|||
|
||||
for (PGPSignature signature : signatures) {
|
||||
try {
|
||||
SignatureValidator.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate);
|
||||
SignatureVerifier.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate);
|
||||
} catch (SignatureValidationException e) {
|
||||
// Signature is not valid
|
||||
continue;
|
||||
|
@ -102,7 +102,7 @@ public final class SignaturePicker {
|
|||
PGPSignature mostRecentDirectKeySigBySigningKey = null;
|
||||
for (PGPSignature signature : directKeySignatures) {
|
||||
try {
|
||||
SignatureValidator.verifyDirectKeySignature(signature, signingKey, signedKey, policy, validationDate);
|
||||
SignatureVerifier.verifyDirectKeySignature(signature, signingKey, signedKey, policy, validationDate);
|
||||
} catch (SignatureValidationException e) {
|
||||
// Direct key sig is not valid
|
||||
continue;
|
||||
|
@ -180,7 +180,7 @@ public final class SignaturePicker {
|
|||
PGPSignature latestUserIdRevocation = null;
|
||||
for (PGPSignature signature : signatures) {
|
||||
try {
|
||||
SignatureValidator.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
|
||||
SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
|
||||
} catch (SignatureValidationException e) {
|
||||
// User-id revocation is not valid
|
||||
continue;
|
||||
|
@ -211,7 +211,7 @@ public final class SignaturePicker {
|
|||
PGPSignature mostRecentUserIdCertification = null;
|
||||
for (PGPSignature signature : signatures) {
|
||||
try {
|
||||
SignatureValidator.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate);
|
||||
SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate);
|
||||
} catch (SignatureValidationException e) {
|
||||
// User-id certification is not valid
|
||||
continue;
|
||||
|
@ -243,7 +243,7 @@ public final class SignaturePicker {
|
|||
PGPSignature latestUserIdCert = null;
|
||||
for (PGPSignature signature : signatures) {
|
||||
try {
|
||||
SignatureValidator.verifyWasPossiblyMadeByKey(primaryKey, signature);
|
||||
SignatureValidator.wasPossiblyMadeByKey(primaryKey).verify(signature);
|
||||
SignatureValidator.signatureIsCertification().verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsAlreadyEffective(validationDate).verify(signature);
|
||||
|
@ -284,7 +284,7 @@ public final class SignaturePicker {
|
|||
|
||||
for (PGPSignature signature : signatures) {
|
||||
try {
|
||||
SignatureValidator.verifySubkeyBindingRevocation(signature, primaryKey, subkey, policy, validationDate);
|
||||
SignatureVerifier.verifySubkeyBindingRevocation(signature, primaryKey, subkey, policy, validationDate);
|
||||
} catch (SignatureValidationException e) {
|
||||
// subkey binding revocation is not valid
|
||||
continue;
|
||||
|
@ -316,7 +316,7 @@ public final class SignaturePicker {
|
|||
|
||||
for (PGPSignature signature : subkeyBindingSigs) {
|
||||
try {
|
||||
SignatureValidator.verifySubkeyBindingSignature(signature, primaryKey, subkey, policy, validationDate);
|
||||
SignatureVerifier.verifySubkeyBindingSignature(signature, primaryKey, subkey, policy, validationDate);
|
||||
} catch (SignatureValidationException validationException) {
|
||||
// Subkey binding sig is not valid
|
||||
continue;
|
||||
|
|
|
@ -15,8 +15,6 @@
|
|||
*/
|
||||
package org.pgpainless.signature;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Date;
|
||||
|
@ -48,456 +46,48 @@ import org.pgpainless.util.BCUtil;
|
|||
import org.pgpainless.util.DateUtil;
|
||||
import org.pgpainless.util.NotationRegistry;
|
||||
|
||||
/**
|
||||
* A collection of validators that perform validation steps over signatures.
|
||||
*/
|
||||
public abstract class SignatureValidator {
|
||||
|
||||
public abstract void verify(PGPSignature signature) throws SignatureValidationException;
|
||||
|
||||
/**
|
||||
* Initialize a signature and verify it afterwards by updating it with the signed data.
|
||||
*
|
||||
* @param signature OpenPGP signature
|
||||
* @param signedData input stream containing the signed data
|
||||
* @param signingKey the key that created the signature
|
||||
* @param policy policy
|
||||
* @param validationDate reference date of signature verification
|
||||
* @return true if the signature is successfully verified
|
||||
*
|
||||
* @throws SignatureValidationException if the signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey, Policy policy, Date validationDate) throws SignatureValidationException {
|
||||
initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey);
|
||||
return verifyInitializedSignature(signature, signingKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize a signature and then update it with the signed data from the given {@link InputStream}.
|
||||
*
|
||||
* @param signature OpenPGP signature
|
||||
* @param signedData input stream containing signed data
|
||||
* @param signingKey key that created the signature
|
||||
*
|
||||
* @throws SignatureValidationException in case the signature cannot be verified for some reason
|
||||
*/
|
||||
public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey)
|
||||
throws SignatureValidationException {
|
||||
try {
|
||||
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
|
||||
int read;
|
||||
byte[] buf = new byte[8192];
|
||||
while ((read = signedData.read(buf)) != -1) {
|
||||
signature.update(buf, 0, read);
|
||||
}
|
||||
} catch (PGPException e) {
|
||||
throw new SignatureValidationException("Cannot init signature.", e);
|
||||
} catch (IOException e) {
|
||||
throw new SignatureValidationException("Cannot update signature.", e);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify an initialized signature.
|
||||
* An initialized signature was already updated with the signed data.
|
||||
*
|
||||
* @param signature OpenPGP signature
|
||||
* @param signingKey key that created the signature
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature is verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
verifyWasPossiblyMadeByKey(signingKey, signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
|
||||
try {
|
||||
if (!signature.verify()) {
|
||||
throw new SignatureValidationException("Signature is not correct.");
|
||||
}
|
||||
return true;
|
||||
} catch (PGPException e) {
|
||||
throw new SignatureValidationException("Could not verify signature correctness.", e);
|
||||
}
|
||||
}
|
||||
|
||||
public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignature onePassSignature, Policy policy)
|
||||
throws SignatureValidationException {
|
||||
try {
|
||||
verifyWasPossiblyMadeByKey(signingKey, signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective().verify(signature);
|
||||
} catch (SignatureValidationException e) {
|
||||
throw new SignatureValidationException("Signature is not valid: " + e.getMessage(), e);
|
||||
}
|
||||
|
||||
try {
|
||||
if (!onePassSignature.verify(signature)) {
|
||||
throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
|
||||
}
|
||||
} catch (PGPException e) {
|
||||
throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e);
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a signature (certification or revocation) over a user-id.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature self-signature
|
||||
* @param primaryKey primary key that created the signature
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the signature is successfully verified
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a signature (certification or revocation) over a user-id.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature certification signature
|
||||
* @param signingKey key that created the certification
|
||||
* @param keyWithUserId key carrying the user-id
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature verification is successful
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureType type = SignatureType.valueOf(signature.getSignatureType());
|
||||
switch (type) {
|
||||
case GENERIC_CERTIFICATION:
|
||||
case NO_CERTIFICATION:
|
||||
case CASUAL_CERTIFICATION:
|
||||
case POSITIVE_CERTIFICATION:
|
||||
return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, validationDate);
|
||||
case CERTIFICATION_REVOCATION:
|
||||
return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, validationDate);
|
||||
default:
|
||||
throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check, whether there is the possibility that the given signature was created by the given key.
|
||||
* This method throws a {@link SignatureValidationException} if we can say with certainty that the signature
|
||||
* {@link #verify(PGPSignature)} throws a {@link SignatureValidationException} if we can say with certainty that the signature
|
||||
* was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet).
|
||||
*
|
||||
* If there is no information found in the signature about who created it (no issuer, no fingerprint),
|
||||
* return true since it is plausible that the given key created the sig.
|
||||
* {@link #verify(PGPSignature)} will simply return since it is plausible that the given key created the sig.
|
||||
*
|
||||
* @param signingKey signing key
|
||||
* @param signature signature
|
||||
* @return true only if the signing key either created the signature or the signature doesn't carry signer information
|
||||
* @throws SignatureValidationException if the sig was not created by the key
|
||||
* @return validator that throws a {@link SignatureValidationException} if the signature was not possibly made by the given key.
|
||||
*/
|
||||
public static boolean verifyWasPossiblyMadeByKey(PGPPublicKey signingKey, PGPSignature signature) throws SignatureValidationException {
|
||||
OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(signingKey);
|
||||
public static SignatureValidator wasPossiblyMadeByKey(PGPPublicKey signingKey) {
|
||||
return new SignatureValidator() {
|
||||
@Override
|
||||
public void verify(PGPSignature signature) throws SignatureValidationException {
|
||||
OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(signingKey);
|
||||
|
||||
Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
|
||||
if (issuer != null) {
|
||||
if (issuer != signingKey.getKeyID()) {
|
||||
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
|
||||
} else {
|
||||
return true;
|
||||
Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
|
||||
if (issuer != null) {
|
||||
if (issuer != signingKey.getKeyID()) {
|
||||
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
|
||||
}
|
||||
}
|
||||
|
||||
OpenPgpV4Fingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature);
|
||||
if (fingerprint != null) {
|
||||
if (!fingerprint.equals(signingKeyFingerprint)) {
|
||||
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
|
||||
}
|
||||
}
|
||||
|
||||
// No issuer information found, so we cannot rule out that we did not create the sig
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
OpenPgpV4Fingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature);
|
||||
if (fingerprint != null) {
|
||||
if (!fingerprint.equals(signingKeyFingerprint)) {
|
||||
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
|
||||
} else {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
// No issuer information found, so we cannot rule out that we did not create the sig
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a certification self-signature over a user-id.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature certification signature
|
||||
* @param primaryKey primary key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the self-signature is verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-id certification.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature certification signature
|
||||
* @param signingKey key that created the certification
|
||||
* @param keyWithUserId primary key that carries the user-id
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature verification is successful
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
signatureIsCertification().verify(signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-id revocation self-signature.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature user-id revocation signature
|
||||
* @param primaryKey primary key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the user-id revocation signature is successfully verified
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-id revocation signature.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature revocation signature
|
||||
* @param signingKey key that created the revocation signature
|
||||
* @param keyWithUserId primary key carrying the user-id
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the user-id revocation signature is successfully verified
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a certification self-signature over a user-attributes packet.
|
||||
*
|
||||
* @param userAttributes user attributes
|
||||
* @param signature certification self-signature
|
||||
* @param primaryKey primary key that carries the user-attributes
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
|
||||
PGPSignature signature, PGPPublicKey primaryKey,
|
||||
Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a certification signature over a user-attributes packet.
|
||||
*
|
||||
* @param userAttributes user attributes
|
||||
* @param signature certification signature
|
||||
* @param signingKey key that created the user-attributes certification
|
||||
* @param keyWithUserAttributes key that carries the user-attributes certification
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
|
||||
PGPSignature signature, PGPPublicKey signingKey,
|
||||
PGPPublicKey keyWithUserAttributes, Policy policy,
|
||||
Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
signatureIsCertification().verify(signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-attributes revocation self-signature.
|
||||
*
|
||||
* @param userAttributes user-attributes
|
||||
* @param signature user-attributes revocation signature
|
||||
* @param primaryKey primary key that carries the user-attributes
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the revocation signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
|
||||
PGPSignature signature, PGPPublicKey primaryKey,
|
||||
Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-attributes revocation signature.
|
||||
*
|
||||
* @param userAttributes user-attributes
|
||||
* @param signature revocation signature
|
||||
* @param signingKey revocation key
|
||||
* @param keyWithUserAttributes key that carries the user-attributes
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the revocation signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
|
||||
PGPSignature signature, PGPPublicKey signingKey,
|
||||
PGPPublicKey keyWithUserAttributes, Policy policy,
|
||||
Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a subkey binding signature.
|
||||
*
|
||||
* @param signature binding signature
|
||||
* @param primaryKey primary key
|
||||
* @param subkey subkey
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the binding signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
|
||||
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature);
|
||||
correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a subkey revocation signature.
|
||||
*
|
||||
* @param signature subkey revocation signature
|
||||
* @param primaryKey primary key
|
||||
* @param subkey subkey
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the subkey revocation signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException {
|
||||
signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
|
||||
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
correctSignatureOverKey(primaryKey, subkey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a direct-key self-signature.
|
||||
*
|
||||
* @param signature signature
|
||||
* @param primaryKey primary key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a direct-key signature.
|
||||
*
|
||||
* @param signature signature
|
||||
* @param signingKey signing key
|
||||
* @param signedKey signed key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature verification is successful
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey signedKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
correctSignatureOverKey(signingKey, signedKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a key revocation signature.
|
||||
*
|
||||
* @param signature signature
|
||||
* @param primaryKey primary key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature verification is successful
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature);
|
||||
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||
signatureIsEffective(validationDate).verify(signature);
|
||||
correctSignatureOverKey(primaryKey, primaryKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -510,7 +100,7 @@ public abstract class SignatureValidator {
|
|||
* @param validationDate reference date for signature verification
|
||||
* @return validator
|
||||
*/
|
||||
private static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) {
|
||||
public static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) {
|
||||
return new SignatureValidator() {
|
||||
@Override
|
||||
public void verify(PGPSignature signature) throws SignatureValidationException {
|
||||
|
|
|
@ -0,0 +1,451 @@
|
|||
/*
|
||||
* Copyright 2021 Paul Schaub.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.pgpainless.signature;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.util.Date;
|
||||
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||
import org.bouncycastle.openpgp.PGPSignature;
|
||||
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
|
||||
import org.pgpainless.algorithm.SignatureType;
|
||||
import org.pgpainless.exception.SignatureValidationException;
|
||||
import org.pgpainless.implementation.ImplementationFactory;
|
||||
import org.pgpainless.policy.Policy;
|
||||
|
||||
/**
|
||||
* Collection of static methods for signature verification.
|
||||
* Signature verification entails validation of certain criteria (see {@link SignatureValidator}, as well as
|
||||
* cryptographic verification of signature correctness.
|
||||
*/
|
||||
public final class SignatureVerifier {
|
||||
|
||||
private SignatureVerifier() {
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a signature (certification or revocation) over a user-id.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature certification signature
|
||||
* @param signingKey key that created the certification
|
||||
* @param keyWithUserId key carrying the user-id
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature verification is successful
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureType type = SignatureType.valueOf(signature.getSignatureType());
|
||||
switch (type) {
|
||||
case GENERIC_CERTIFICATION:
|
||||
case NO_CERTIFICATION:
|
||||
case CASUAL_CERTIFICATION:
|
||||
case POSITIVE_CERTIFICATION:
|
||||
return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, validationDate);
|
||||
case CERTIFICATION_REVOCATION:
|
||||
return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, validationDate);
|
||||
default:
|
||||
throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a certification self-signature over a user-id.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature certification signature
|
||||
* @param primaryKey primary key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the self-signature is verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-id certification.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature certification signature
|
||||
* @param signingKey key that created the certification
|
||||
* @param keyWithUserId primary key that carries the user-id
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature verification is successful
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.signatureIsCertification().verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-id revocation self-signature.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature user-id revocation signature
|
||||
* @param primaryKey primary key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the user-id revocation signature is successfully verified
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-id revocation signature.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature revocation signature
|
||||
* @param signingKey key that created the revocation signature
|
||||
* @param keyWithUserId primary key carrying the user-id
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the user-id revocation signature is successfully verified
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a certification self-signature over a user-attributes packet.
|
||||
*
|
||||
* @param userAttributes user attributes
|
||||
* @param signature certification self-signature
|
||||
* @param primaryKey primary key that carries the user-attributes
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
|
||||
PGPSignature signature, PGPPublicKey primaryKey,
|
||||
Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a certification signature over a user-attributes packet.
|
||||
*
|
||||
* @param userAttributes user attributes
|
||||
* @param signature certification signature
|
||||
* @param signingKey key that created the user-attributes certification
|
||||
* @param keyWithUserAttributes key that carries the user-attributes certification
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
|
||||
PGPSignature signature, PGPPublicKey signingKey,
|
||||
PGPPublicKey keyWithUserAttributes, Policy policy,
|
||||
Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.signatureIsCertification().verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-attributes revocation self-signature.
|
||||
*
|
||||
* @param userAttributes user-attributes
|
||||
* @param signature user-attributes revocation signature
|
||||
* @param primaryKey primary key that carries the user-attributes
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the revocation signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
|
||||
PGPSignature signature, PGPPublicKey primaryKey,
|
||||
Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a user-attributes revocation signature.
|
||||
*
|
||||
* @param userAttributes user-attributes
|
||||
* @param signature revocation signature
|
||||
* @param signingKey revocation key
|
||||
* @param keyWithUserAttributes key that carries the user-attributes
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the revocation signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
|
||||
PGPSignature signature, PGPPublicKey signingKey,
|
||||
PGPPublicKey keyWithUserAttributes, Policy policy,
|
||||
Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a subkey binding signature.
|
||||
*
|
||||
* @param signature binding signature
|
||||
* @param primaryKey primary key
|
||||
* @param subkey subkey
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the binding signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
SignatureValidator.hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature);
|
||||
SignatureValidator.correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a subkey revocation signature.
|
||||
*
|
||||
* @param signature subkey revocation signature
|
||||
* @param primaryKey primary key
|
||||
* @param subkey subkey
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the subkey revocation signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException {
|
||||
SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
SignatureValidator.correctSignatureOverKey(primaryKey, subkey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a direct-key self-signature.
|
||||
*
|
||||
* @param signature signature
|
||||
* @param primaryKey primary key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the signature can be verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a direct-key signature.
|
||||
*
|
||||
* @param signature signature
|
||||
* @param signingKey signing key
|
||||
* @param signedKey signed key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature verification is successful
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey signedKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a key revocation signature.
|
||||
*
|
||||
* @param signature signature
|
||||
* @param primaryKey primary key
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature verification is successful
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
SignatureValidator.correctSignatureOverKey(primaryKey, primaryKey).verify(signature);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize a signature and verify it afterwards by updating it with the signed data.
|
||||
*
|
||||
* @param signature OpenPGP signature
|
||||
* @param signedData input stream containing the signed data
|
||||
* @param signingKey the key that created the signature
|
||||
* @param policy policy
|
||||
* @param validationDate reference date of signature verification
|
||||
* @return true if the signature is successfully verified
|
||||
*
|
||||
* @throws SignatureValidationException if the signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey, Policy policy, Date validationDate) throws SignatureValidationException {
|
||||
initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey);
|
||||
return verifyInitializedSignature(signature, signingKey, policy, validationDate);
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize a signature and then update it with the signed data from the given {@link InputStream}.
|
||||
*
|
||||
* @param signature OpenPGP signature
|
||||
* @param signedData input stream containing signed data
|
||||
* @param signingKey key that created the signature
|
||||
*
|
||||
* @throws SignatureValidationException in case the signature cannot be verified for some reason
|
||||
*/
|
||||
public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey)
|
||||
throws SignatureValidationException {
|
||||
try {
|
||||
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
|
||||
int read;
|
||||
byte[] buf = new byte[8192];
|
||||
while ((read = signedData.read(buf)) != -1) {
|
||||
signature.update(buf, 0, read);
|
||||
}
|
||||
} catch (PGPException e) {
|
||||
throw new SignatureValidationException("Cannot init signature.", e);
|
||||
} catch (IOException e) {
|
||||
throw new SignatureValidationException("Cannot update signature.", e);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify an initialized signature.
|
||||
* An initialized signature was already updated with the signed data.
|
||||
*
|
||||
* @param signature OpenPGP signature
|
||||
* @param signingKey key that created the signature
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if signature is verified successfully
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
|
||||
try {
|
||||
if (!signature.verify()) {
|
||||
throw new SignatureValidationException("Signature is not correct.");
|
||||
}
|
||||
return true;
|
||||
} catch (PGPException e) {
|
||||
throw new SignatureValidationException("Could not verify signature correctness.", e);
|
||||
}
|
||||
}
|
||||
|
||||
public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignature onePassSignature, Policy policy)
|
||||
throws SignatureValidationException {
|
||||
try {
|
||||
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective().verify(signature);
|
||||
} catch (SignatureValidationException e) {
|
||||
throw new SignatureValidationException("Signature is not valid: " + e.getMessage(), e);
|
||||
}
|
||||
|
||||
try {
|
||||
if (!onePassSignature.verify(signature)) {
|
||||
throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
|
||||
}
|
||||
} catch (PGPException e) {
|
||||
throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e);
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a signature (certification or revocation) over a user-id.
|
||||
*
|
||||
* @param userId user-id
|
||||
* @param signature self-signature
|
||||
* @param primaryKey primary key that created the signature
|
||||
* @param policy policy
|
||||
* @param validationDate reference date for signature verification
|
||||
* @return true if the signature is successfully verified
|
||||
*
|
||||
* @throws SignatureValidationException if signature verification fails for some reason
|
||||
*/
|
||||
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||
}
|
||||
}
|
|
@ -16,7 +16,6 @@
|
|||
package org.pgpainless.signature;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||
import static org.junit.jupiter.api.Assertions.fail;
|
||||
|
||||
import java.io.IOException;
|
||||
|
@ -30,7 +29,7 @@ import org.pgpainless.PGPainless;
|
|||
import org.pgpainless.exception.SignatureValidationException;
|
||||
import org.pgpainless.key.OpenPgpV4Fingerprint;
|
||||
|
||||
public class SignatureWasPossibleyMadeByKeyTest {
|
||||
public class SignatureWasPossiblyMadeByKeyTest {
|
||||
|
||||
public static PGPPublicKeyRing CERT;
|
||||
public static PGPPublicKey SIGKEY;
|
||||
|
@ -103,7 +102,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
|||
"cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" +
|
||||
"=4ZFC\n" +
|
||||
"-----END PGP SIGNATURE-----";
|
||||
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithIssuer)));
|
||||
assertWasPossiblyMadeByKey(SIGKEY, get(sigWithIssuer));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
@ -123,7 +122,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
|||
"Q0Quxar3DOTtNNQVrXeoeIlVGue0pNCwg6abDj5N\n" +
|
||||
"=IcX1\n" +
|
||||
"-----END PGP SIGNATURE-----\n";
|
||||
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithHashedIssuer)));
|
||||
assertWasPossiblyMadeByKey(SIGKEY, get(sigWithHashedIssuer));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
@ -144,7 +143,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
|||
"-----END PGP SIGNATURE-----";
|
||||
|
||||
|
||||
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerNoFingerprint)));
|
||||
assertWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerNoFingerprint));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
@ -165,11 +164,11 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
|||
"=LBou\n" +
|
||||
"-----END PGP SIGNATURE-----\n";
|
||||
|
||||
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerUnhashedFingerprint)));
|
||||
assertWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerUnhashedFingerprint));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void issuerMismatch() {
|
||||
public void issuerMismatch() throws PGPException, IOException {
|
||||
String sig = "-----BEGIN PGP SIGNATURE-----\n" +
|
||||
"\n" +
|
||||
"wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" +
|
||||
|
@ -185,11 +184,11 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
|||
"cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" +
|
||||
"=4ZFC\n" +
|
||||
"-----END PGP SIGNATURE-----";
|
||||
assertThrows(SignatureValidationException.class, () -> SignatureValidator.verifyWasPossiblyMadeByKey(NOSIGKEY, get(sig)));
|
||||
assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sig));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void noIssuer_fingerprintMismatch() {
|
||||
public void noIssuer_fingerprintMismatch() throws PGPException, IOException {
|
||||
String sigWithNoIssuerAndWrongFingerprint = "-----BEGIN PGP SIGNATURE-----\n" +
|
||||
"\n" +
|
||||
"wsExBAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" +
|
||||
|
@ -206,10 +205,19 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
|||
"=A/zE\n" +
|
||||
"-----END PGP SIGNATURE-----\n";
|
||||
|
||||
assertThrows(SignatureValidationException.class, () -> SignatureValidator.verifyWasPossiblyMadeByKey(NOSIGKEY, get(sigWithNoIssuerAndWrongFingerprint)));
|
||||
assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sigWithNoIssuerAndWrongFingerprint));
|
||||
}
|
||||
|
||||
private PGPSignature get(String encoded) throws PGPException, IOException {
|
||||
return SignatureUtils.readSignatures(encoded).get(0);
|
||||
}
|
||||
|
||||
private void assertWasPossiblyMadeByKey(PGPPublicKey signatureKey, PGPSignature signature) throws SignatureValidationException {
|
||||
SignatureValidator.wasPossiblyMadeByKey(signatureKey).verify(signature);
|
||||
}
|
||||
|
||||
private void assertWasNotPossiblyMadeByKey(PGPPublicKey signatureKey, PGPSignature signature) {
|
||||
assertThrows(SignatureValidationException.class, () -> assertWasPossiblyMadeByKey(signatureKey, signature));
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in a new issue