mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-11-23 12:52:07 +01:00
Separate Signature verification methods out of SignatureValidator into SignatureVerifier
This commit is contained in:
parent
8c3b694a71
commit
3abb796220
6 changed files with 529 additions and 473 deletions
|
@ -33,7 +33,7 @@ import org.pgpainless.exception.SignatureValidationException;
|
||||||
import org.pgpainless.implementation.ImplementationFactory;
|
import org.pgpainless.implementation.ImplementationFactory;
|
||||||
import org.pgpainless.policy.Policy;
|
import org.pgpainless.policy.Policy;
|
||||||
import org.pgpainless.signature.SignatureCreationDateComparator;
|
import org.pgpainless.signature.SignatureCreationDateComparator;
|
||||||
import org.pgpainless.signature.SignatureValidator;
|
import org.pgpainless.signature.SignatureVerifier;
|
||||||
import org.pgpainless.util.CollectionUtils;
|
import org.pgpainless.util.CollectionUtils;
|
||||||
|
|
||||||
public final class KeyRingValidator {
|
public final class KeyRingValidator {
|
||||||
|
@ -77,7 +77,7 @@ public final class KeyRingValidator {
|
||||||
Collections.sort(directKeyCertifications, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
|
Collections.sort(directKeyCertifications, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
|
||||||
for (PGPSignature signature : directKeyCertifications) {
|
for (PGPSignature signature : directKeyCertifications) {
|
||||||
try {
|
try {
|
||||||
if (SignatureValidator.verifyDirectKeySignature(signature, blank, policy, validationDate)) {
|
if (SignatureVerifier.verifyDirectKeySignature(signature, blank, policy, validationDate)) {
|
||||||
blank = PGPPublicKey.addCertification(blank, signature);
|
blank = PGPPublicKey.addCertification(blank, signature);
|
||||||
}
|
}
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
|
@ -90,7 +90,7 @@ public final class KeyRingValidator {
|
||||||
Collections.sort(directKeyRevocations, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
|
Collections.sort(directKeyRevocations, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
|
||||||
for (PGPSignature signature : directKeyRevocations) {
|
for (PGPSignature signature : directKeyRevocations) {
|
||||||
try {
|
try {
|
||||||
if (SignatureValidator.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate)) {
|
if (SignatureVerifier.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate)) {
|
||||||
blank = PGPPublicKey.addCertification(blank, signature);
|
blank = PGPPublicKey.addCertification(blank, signature);
|
||||||
}
|
}
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
|
@ -107,11 +107,11 @@ public final class KeyRingValidator {
|
||||||
for (PGPSignature signature : signatures) {
|
for (PGPSignature signature : signatures) {
|
||||||
try {
|
try {
|
||||||
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
|
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
|
||||||
if (SignatureValidator.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
|
if (SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
|
||||||
blank = PGPPublicKey.addCertification(blank, userId, signature);
|
blank = PGPPublicKey.addCertification(blank, userId, signature);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (SignatureValidator.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate)) {
|
if (SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate)) {
|
||||||
blank = PGPPublicKey.addCertification(blank, userId, signature);
|
blank = PGPPublicKey.addCertification(blank, userId, signature);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -129,11 +129,11 @@ public final class KeyRingValidator {
|
||||||
PGPSignature signature = userAttributeSignatureIterator.next();
|
PGPSignature signature = userAttributeSignatureIterator.next();
|
||||||
try {
|
try {
|
||||||
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
|
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
|
||||||
if (SignatureValidator.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {
|
if (SignatureVerifier.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {
|
||||||
blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
|
blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (SignatureValidator.verifyUserAttributesCertification(userAttribute, signature, primaryKey, policy, validationDate)) {
|
if (SignatureVerifier.verifyUserAttributesCertification(userAttribute, signature, primaryKey, policy, validationDate)) {
|
||||||
blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
|
blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
*/
|
*/
|
||||||
package org.pgpainless.signature;
|
package org.pgpainless.signature;
|
||||||
|
|
||||||
import static org.pgpainless.signature.SignatureValidator.verifyOnePassSignature;
|
import static org.pgpainless.signature.SignatureVerifier.verifyOnePassSignature;
|
||||||
|
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
@ -40,9 +40,7 @@ import org.pgpainless.policy.Policy;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class implements validity checks on OpenPGP signatures.
|
* A collection of static methods that validate signing certificates (public keys) and verify signature correctness.
|
||||||
* Its responsibilities are checking if a signing key was eligible to create a certain signature
|
|
||||||
* and if the signature is valid at the time of validation.
|
|
||||||
*/
|
*/
|
||||||
public final class CertificateValidator {
|
public final class CertificateValidator {
|
||||||
|
|
||||||
|
@ -85,7 +83,7 @@ public final class CertificateValidator {
|
||||||
while (primaryKeyRevocationIterator.hasNext()) {
|
while (primaryKeyRevocationIterator.hasNext()) {
|
||||||
PGPSignature revocation = primaryKeyRevocationIterator.next();
|
PGPSignature revocation = primaryKeyRevocationIterator.next();
|
||||||
try {
|
try {
|
||||||
if (SignatureValidator.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) {
|
if (SignatureVerifier.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) {
|
||||||
directKeySignatures.add(revocation);
|
directKeySignatures.add(revocation);
|
||||||
}
|
}
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
|
@ -99,7 +97,7 @@ public final class CertificateValidator {
|
||||||
while (keySignatures.hasNext()) {
|
while (keySignatures.hasNext()) {
|
||||||
PGPSignature keySignature = keySignatures.next();
|
PGPSignature keySignature = keySignatures.next();
|
||||||
try {
|
try {
|
||||||
if (SignatureValidator.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) {
|
if (SignatureVerifier.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) {
|
||||||
directKeySignatures.add(keySignature);
|
directKeySignatures.add(keySignature);
|
||||||
}
|
}
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
|
@ -125,7 +123,7 @@ public final class CertificateValidator {
|
||||||
while (userIdSigs.hasNext()) {
|
while (userIdSigs.hasNext()) {
|
||||||
PGPSignature userIdSig = userIdSigs.next();
|
PGPSignature userIdSig = userIdSigs.next();
|
||||||
try {
|
try {
|
||||||
if (SignatureValidator.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) {
|
if (SignatureVerifier.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) {
|
||||||
signaturesOnUserId.add(userIdSig);
|
signaturesOnUserId.add(userIdSig);
|
||||||
}
|
}
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
|
@ -175,7 +173,7 @@ public final class CertificateValidator {
|
||||||
while (bindingRevocations.hasNext()) {
|
while (bindingRevocations.hasNext()) {
|
||||||
PGPSignature revocation = bindingRevocations.next();
|
PGPSignature revocation = bindingRevocations.next();
|
||||||
try {
|
try {
|
||||||
if (SignatureValidator.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
if (SignatureVerifier.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
||||||
subkeySigs.add(revocation);
|
subkeySigs.add(revocation);
|
||||||
}
|
}
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
|
@ -188,7 +186,7 @@ public final class CertificateValidator {
|
||||||
while (bindingSigs.hasNext()) {
|
while (bindingSigs.hasNext()) {
|
||||||
PGPSignature bindingSig = bindingSigs.next();
|
PGPSignature bindingSig = bindingSigs.next();
|
||||||
try {
|
try {
|
||||||
if (SignatureValidator.verifySubkeyBindingSignature(bindingSig, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
if (SignatureVerifier.verifySubkeyBindingSignature(bindingSig, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
||||||
subkeySigs.add(bindingSig);
|
subkeySigs.add(bindingSig);
|
||||||
}
|
}
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
|
@ -244,7 +242,7 @@ public final class CertificateValidator {
|
||||||
throws SignatureValidationException {
|
throws SignatureValidationException {
|
||||||
validateCertificate(signature, signingKeyRing, policy);
|
validateCertificate(signature, signingKeyRing, policy);
|
||||||
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
||||||
return SignatureValidator.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(keyId), policy, validationDate);
|
return SignatureVerifier.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(keyId), policy, validationDate);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -262,10 +260,19 @@ public final class CertificateValidator {
|
||||||
validateCertificate(signature, verificationKeys, policy);
|
validateCertificate(signature, verificationKeys, policy);
|
||||||
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
||||||
PGPPublicKey signingKey = verificationKeys.getPublicKey(keyId);
|
PGPPublicKey signingKey = verificationKeys.getPublicKey(keyId);
|
||||||
SignatureValidator.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
|
SignatureVerifier.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validate the signing key certificate and the given {@link OnePassSignature}.
|
||||||
|
*
|
||||||
|
* @param signature OpenPGP signature from the signed message
|
||||||
|
* @param onePassSignature corresponding one-pass-signature
|
||||||
|
* @param policy policy
|
||||||
|
* @return true if the certificate is valid and the signature is correct, false otherwise.
|
||||||
|
* @throws SignatureValidationException in case of a validation error
|
||||||
|
*/
|
||||||
public static boolean validateCertificateAndVerifyOnePassSignature(PGPSignature signature, OnePassSignature onePassSignature, Policy policy)
|
public static boolean validateCertificateAndVerifyOnePassSignature(PGPSignature signature, OnePassSignature onePassSignature, Policy policy)
|
||||||
throws SignatureValidationException {
|
throws SignatureValidationException {
|
||||||
validateCertificate(signature, onePassSignature.getVerificationKeys(), policy);
|
validateCertificate(signature, onePassSignature.getVerificationKeys(), policy);
|
||||||
|
|
|
@ -63,7 +63,7 @@ public final class SignaturePicker {
|
||||||
|
|
||||||
for (PGPSignature signature : signatures) {
|
for (PGPSignature signature : signatures) {
|
||||||
try {
|
try {
|
||||||
SignatureValidator.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate);
|
SignatureVerifier.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate);
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
// Signature is not valid
|
// Signature is not valid
|
||||||
continue;
|
continue;
|
||||||
|
@ -102,7 +102,7 @@ public final class SignaturePicker {
|
||||||
PGPSignature mostRecentDirectKeySigBySigningKey = null;
|
PGPSignature mostRecentDirectKeySigBySigningKey = null;
|
||||||
for (PGPSignature signature : directKeySignatures) {
|
for (PGPSignature signature : directKeySignatures) {
|
||||||
try {
|
try {
|
||||||
SignatureValidator.verifyDirectKeySignature(signature, signingKey, signedKey, policy, validationDate);
|
SignatureVerifier.verifyDirectKeySignature(signature, signingKey, signedKey, policy, validationDate);
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
// Direct key sig is not valid
|
// Direct key sig is not valid
|
||||||
continue;
|
continue;
|
||||||
|
@ -180,7 +180,7 @@ public final class SignaturePicker {
|
||||||
PGPSignature latestUserIdRevocation = null;
|
PGPSignature latestUserIdRevocation = null;
|
||||||
for (PGPSignature signature : signatures) {
|
for (PGPSignature signature : signatures) {
|
||||||
try {
|
try {
|
||||||
SignatureValidator.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
|
SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
// User-id revocation is not valid
|
// User-id revocation is not valid
|
||||||
continue;
|
continue;
|
||||||
|
@ -211,7 +211,7 @@ public final class SignaturePicker {
|
||||||
PGPSignature mostRecentUserIdCertification = null;
|
PGPSignature mostRecentUserIdCertification = null;
|
||||||
for (PGPSignature signature : signatures) {
|
for (PGPSignature signature : signatures) {
|
||||||
try {
|
try {
|
||||||
SignatureValidator.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate);
|
SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate);
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
// User-id certification is not valid
|
// User-id certification is not valid
|
||||||
continue;
|
continue;
|
||||||
|
@ -243,7 +243,7 @@ public final class SignaturePicker {
|
||||||
PGPSignature latestUserIdCert = null;
|
PGPSignature latestUserIdCert = null;
|
||||||
for (PGPSignature signature : signatures) {
|
for (PGPSignature signature : signatures) {
|
||||||
try {
|
try {
|
||||||
SignatureValidator.verifyWasPossiblyMadeByKey(primaryKey, signature);
|
SignatureValidator.wasPossiblyMadeByKey(primaryKey).verify(signature);
|
||||||
SignatureValidator.signatureIsCertification().verify(signature);
|
SignatureValidator.signatureIsCertification().verify(signature);
|
||||||
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||||
SignatureValidator.signatureIsAlreadyEffective(validationDate).verify(signature);
|
SignatureValidator.signatureIsAlreadyEffective(validationDate).verify(signature);
|
||||||
|
@ -284,7 +284,7 @@ public final class SignaturePicker {
|
||||||
|
|
||||||
for (PGPSignature signature : signatures) {
|
for (PGPSignature signature : signatures) {
|
||||||
try {
|
try {
|
||||||
SignatureValidator.verifySubkeyBindingRevocation(signature, primaryKey, subkey, policy, validationDate);
|
SignatureVerifier.verifySubkeyBindingRevocation(signature, primaryKey, subkey, policy, validationDate);
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
// subkey binding revocation is not valid
|
// subkey binding revocation is not valid
|
||||||
continue;
|
continue;
|
||||||
|
@ -316,7 +316,7 @@ public final class SignaturePicker {
|
||||||
|
|
||||||
for (PGPSignature signature : subkeyBindingSigs) {
|
for (PGPSignature signature : subkeyBindingSigs) {
|
||||||
try {
|
try {
|
||||||
SignatureValidator.verifySubkeyBindingSignature(signature, primaryKey, subkey, policy, validationDate);
|
SignatureVerifier.verifySubkeyBindingSignature(signature, primaryKey, subkey, policy, validationDate);
|
||||||
} catch (SignatureValidationException validationException) {
|
} catch (SignatureValidationException validationException) {
|
||||||
// Subkey binding sig is not valid
|
// Subkey binding sig is not valid
|
||||||
continue;
|
continue;
|
||||||
|
|
|
@ -15,8 +15,6 @@
|
||||||
*/
|
*/
|
||||||
package org.pgpainless.signature;
|
package org.pgpainless.signature;
|
||||||
|
|
||||||
import java.io.IOException;
|
|
||||||
import java.io.InputStream;
|
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
|
@ -48,169 +46,34 @@ import org.pgpainless.util.BCUtil;
|
||||||
import org.pgpainless.util.DateUtil;
|
import org.pgpainless.util.DateUtil;
|
||||||
import org.pgpainless.util.NotationRegistry;
|
import org.pgpainless.util.NotationRegistry;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A collection of validators that perform validation steps over signatures.
|
||||||
|
*/
|
||||||
public abstract class SignatureValidator {
|
public abstract class SignatureValidator {
|
||||||
|
|
||||||
public abstract void verify(PGPSignature signature) throws SignatureValidationException;
|
public abstract void verify(PGPSignature signature) throws SignatureValidationException;
|
||||||
|
|
||||||
/**
|
|
||||||
* Initialize a signature and verify it afterwards by updating it with the signed data.
|
|
||||||
*
|
|
||||||
* @param signature OpenPGP signature
|
|
||||||
* @param signedData input stream containing the signed data
|
|
||||||
* @param signingKey the key that created the signature
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date of signature verification
|
|
||||||
* @return true if the signature is successfully verified
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if the signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey, Policy policy, Date validationDate) throws SignatureValidationException {
|
|
||||||
initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey);
|
|
||||||
return verifyInitializedSignature(signature, signingKey, policy, validationDate);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Initialize a signature and then update it with the signed data from the given {@link InputStream}.
|
|
||||||
*
|
|
||||||
* @param signature OpenPGP signature
|
|
||||||
* @param signedData input stream containing signed data
|
|
||||||
* @param signingKey key that created the signature
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException in case the signature cannot be verified for some reason
|
|
||||||
*/
|
|
||||||
public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
try {
|
|
||||||
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
|
|
||||||
int read;
|
|
||||||
byte[] buf = new byte[8192];
|
|
||||||
while ((read = signedData.read(buf)) != -1) {
|
|
||||||
signature.update(buf, 0, read);
|
|
||||||
}
|
|
||||||
} catch (PGPException e) {
|
|
||||||
throw new SignatureValidationException("Cannot init signature.", e);
|
|
||||||
} catch (IOException e) {
|
|
||||||
throw new SignatureValidationException("Cannot update signature.", e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify an initialized signature.
|
|
||||||
* An initialized signature was already updated with the signed data.
|
|
||||||
*
|
|
||||||
* @param signature OpenPGP signature
|
|
||||||
* @param signingKey key that created the signature
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if signature is verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
verifyWasPossiblyMadeByKey(signingKey, signature);
|
|
||||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
|
|
||||||
try {
|
|
||||||
if (!signature.verify()) {
|
|
||||||
throw new SignatureValidationException("Signature is not correct.");
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
} catch (PGPException e) {
|
|
||||||
throw new SignatureValidationException("Could not verify signature correctness.", e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignature onePassSignature, Policy policy)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
try {
|
|
||||||
verifyWasPossiblyMadeByKey(signingKey, signature);
|
|
||||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
signatureIsEffective().verify(signature);
|
|
||||||
} catch (SignatureValidationException e) {
|
|
||||||
throw new SignatureValidationException("Signature is not valid: " + e.getMessage(), e);
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
|
||||||
if (!onePassSignature.verify(signature)) {
|
|
||||||
throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
|
|
||||||
}
|
|
||||||
} catch (PGPException e) {
|
|
||||||
throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e);
|
|
||||||
}
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a signature (certification or revocation) over a user-id.
|
|
||||||
*
|
|
||||||
* @param userId user-id
|
|
||||||
* @param signature self-signature
|
|
||||||
* @param primaryKey primary key that created the signature
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the signature is successfully verified
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a signature (certification or revocation) over a user-id.
|
|
||||||
*
|
|
||||||
* @param userId user-id
|
|
||||||
* @param signature certification signature
|
|
||||||
* @param signingKey key that created the certification
|
|
||||||
* @param keyWithUserId key carrying the user-id
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if signature verification is successful
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
SignatureType type = SignatureType.valueOf(signature.getSignatureType());
|
|
||||||
switch (type) {
|
|
||||||
case GENERIC_CERTIFICATION:
|
|
||||||
case NO_CERTIFICATION:
|
|
||||||
case CASUAL_CERTIFICATION:
|
|
||||||
case POSITIVE_CERTIFICATION:
|
|
||||||
return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, validationDate);
|
|
||||||
case CERTIFICATION_REVOCATION:
|
|
||||||
return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, validationDate);
|
|
||||||
default:
|
|
||||||
throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check, whether there is the possibility that the given signature was created by the given key.
|
* Check, whether there is the possibility that the given signature was created by the given key.
|
||||||
* This method throws a {@link SignatureValidationException} if we can say with certainty that the signature
|
* {@link #verify(PGPSignature)} throws a {@link SignatureValidationException} if we can say with certainty that the signature
|
||||||
* was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet).
|
* was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet).
|
||||||
*
|
*
|
||||||
* If there is no information found in the signature about who created it (no issuer, no fingerprint),
|
* If there is no information found in the signature about who created it (no issuer, no fingerprint),
|
||||||
* return true since it is plausible that the given key created the sig.
|
* {@link #verify(PGPSignature)} will simply return since it is plausible that the given key created the sig.
|
||||||
*
|
*
|
||||||
* @param signingKey signing key
|
* @param signingKey signing key
|
||||||
* @param signature signature
|
* @return validator that throws a {@link SignatureValidationException} if the signature was not possibly made by the given key.
|
||||||
* @return true only if the signing key either created the signature or the signature doesn't carry signer information
|
|
||||||
* @throws SignatureValidationException if the sig was not created by the key
|
|
||||||
*/
|
*/
|
||||||
public static boolean verifyWasPossiblyMadeByKey(PGPPublicKey signingKey, PGPSignature signature) throws SignatureValidationException {
|
public static SignatureValidator wasPossiblyMadeByKey(PGPPublicKey signingKey) {
|
||||||
|
return new SignatureValidator() {
|
||||||
|
@Override
|
||||||
|
public void verify(PGPSignature signature) throws SignatureValidationException {
|
||||||
OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(signingKey);
|
OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(signingKey);
|
||||||
|
|
||||||
Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
|
Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
|
||||||
if (issuer != null) {
|
if (issuer != null) {
|
||||||
if (issuer != signingKey.getKeyID()) {
|
if (issuer != signingKey.getKeyID()) {
|
||||||
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
|
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
|
||||||
} else {
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -218,286 +81,13 @@ public abstract class SignatureValidator {
|
||||||
if (fingerprint != null) {
|
if (fingerprint != null) {
|
||||||
if (!fingerprint.equals(signingKeyFingerprint)) {
|
if (!fingerprint.equals(signingKeyFingerprint)) {
|
||||||
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
|
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
|
||||||
} else {
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// No issuer information found, so we cannot rule out that we did not create the sig
|
// No issuer information found, so we cannot rule out that we did not create the sig
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
};
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a certification self-signature over a user-id.
|
|
||||||
*
|
|
||||||
* @param userId user-id
|
|
||||||
* @param signature certification signature
|
|
||||||
* @param primaryKey primary key
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the self-signature is verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a user-id certification.
|
|
||||||
*
|
|
||||||
* @param userId user-id
|
|
||||||
* @param signature certification signature
|
|
||||||
* @param signingKey key that created the certification
|
|
||||||
* @param keyWithUserId primary key that carries the user-id
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if signature verification is successful
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
signatureIsCertification().verify(signature);
|
|
||||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a user-id revocation self-signature.
|
|
||||||
*
|
|
||||||
* @param userId user-id
|
|
||||||
* @param signature user-id revocation signature
|
|
||||||
* @param primaryKey primary key
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the user-id revocation signature is successfully verified
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a user-id revocation signature.
|
|
||||||
*
|
|
||||||
* @param userId user-id
|
|
||||||
* @param signature revocation signature
|
|
||||||
* @param signingKey key that created the revocation signature
|
|
||||||
* @param keyWithUserId primary key carrying the user-id
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the user-id revocation signature is successfully verified
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
|
||||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a certification self-signature over a user-attributes packet.
|
|
||||||
*
|
|
||||||
* @param userAttributes user attributes
|
|
||||||
* @param signature certification self-signature
|
|
||||||
* @param primaryKey primary key that carries the user-attributes
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the signature can be verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
|
|
||||||
PGPSignature signature, PGPPublicKey primaryKey,
|
|
||||||
Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a certification signature over a user-attributes packet.
|
|
||||||
*
|
|
||||||
* @param userAttributes user attributes
|
|
||||||
* @param signature certification signature
|
|
||||||
* @param signingKey key that created the user-attributes certification
|
|
||||||
* @param keyWithUserAttributes key that carries the user-attributes certification
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the signature can be verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
|
|
||||||
PGPSignature signature, PGPPublicKey signingKey,
|
|
||||||
PGPPublicKey keyWithUserAttributes, Policy policy,
|
|
||||||
Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
signatureIsCertification().verify(signature);
|
|
||||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a user-attributes revocation self-signature.
|
|
||||||
*
|
|
||||||
* @param userAttributes user-attributes
|
|
||||||
* @param signature user-attributes revocation signature
|
|
||||||
* @param primaryKey primary key that carries the user-attributes
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the revocation signature can be verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
|
|
||||||
PGPSignature signature, PGPPublicKey primaryKey,
|
|
||||||
Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a user-attributes revocation signature.
|
|
||||||
*
|
|
||||||
* @param userAttributes user-attributes
|
|
||||||
* @param signature revocation signature
|
|
||||||
* @param signingKey revocation key
|
|
||||||
* @param keyWithUserAttributes key that carries the user-attributes
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the revocation signature can be verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
|
|
||||||
PGPSignature signature, PGPPublicKey signingKey,
|
|
||||||
PGPPublicKey keyWithUserAttributes, Policy policy,
|
|
||||||
Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
|
||||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a subkey binding signature.
|
|
||||||
*
|
|
||||||
* @param signature binding signature
|
|
||||||
* @param primaryKey primary key
|
|
||||||
* @param subkey subkey
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the binding signature can be verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
|
|
||||||
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature);
|
|
||||||
correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a subkey revocation signature.
|
|
||||||
*
|
|
||||||
* @param signature subkey revocation signature
|
|
||||||
* @param primaryKey primary key
|
|
||||||
* @param subkey subkey
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the subkey revocation signature can be verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException {
|
|
||||||
signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
|
|
||||||
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
correctSignatureOverKey(primaryKey, subkey).verify(signature);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a direct-key self-signature.
|
|
||||||
*
|
|
||||||
* @param signature signature
|
|
||||||
* @param primaryKey primary key
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if the signature can be verified successfully
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, validationDate);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a direct-key signature.
|
|
||||||
*
|
|
||||||
* @param signature signature
|
|
||||||
* @param signingKey signing key
|
|
||||||
* @param signedKey signed key
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if signature verification is successful
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey signedKey, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
|
|
||||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
correctSignatureOverKey(signingKey, signedKey).verify(signature);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a key revocation signature.
|
|
||||||
*
|
|
||||||
* @param signature signature
|
|
||||||
* @param primaryKey primary key
|
|
||||||
* @param policy policy
|
|
||||||
* @param validationDate reference date for signature verification
|
|
||||||
* @return true if signature verification is successful
|
|
||||||
*
|
|
||||||
* @throws SignatureValidationException if signature verification fails for some reason
|
|
||||||
*/
|
|
||||||
public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
|
||||||
throws SignatureValidationException {
|
|
||||||
signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature);
|
|
||||||
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
|
||||||
signatureIsEffective(validationDate).verify(signature);
|
|
||||||
correctSignatureOverKey(primaryKey, primaryKey).verify(signature);
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -510,7 +100,7 @@ public abstract class SignatureValidator {
|
||||||
* @param validationDate reference date for signature verification
|
* @param validationDate reference date for signature verification
|
||||||
* @return validator
|
* @return validator
|
||||||
*/
|
*/
|
||||||
private static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) {
|
public static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) {
|
||||||
return new SignatureValidator() {
|
return new SignatureValidator() {
|
||||||
@Override
|
@Override
|
||||||
public void verify(PGPSignature signature) throws SignatureValidationException {
|
public void verify(PGPSignature signature) throws SignatureValidationException {
|
||||||
|
|
|
@ -0,0 +1,451 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 Paul Schaub.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.pgpainless.signature;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.util.Date;
|
||||||
|
|
||||||
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
|
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||||
|
import org.bouncycastle.openpgp.PGPSignature;
|
||||||
|
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
|
||||||
|
import org.pgpainless.algorithm.SignatureType;
|
||||||
|
import org.pgpainless.exception.SignatureValidationException;
|
||||||
|
import org.pgpainless.implementation.ImplementationFactory;
|
||||||
|
import org.pgpainless.policy.Policy;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Collection of static methods for signature verification.
|
||||||
|
* Signature verification entails validation of certain criteria (see {@link SignatureValidator}, as well as
|
||||||
|
* cryptographic verification of signature correctness.
|
||||||
|
*/
|
||||||
|
public final class SignatureVerifier {
|
||||||
|
|
||||||
|
private SignatureVerifier() {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a signature (certification or revocation) over a user-id.
|
||||||
|
*
|
||||||
|
* @param userId user-id
|
||||||
|
* @param signature certification signature
|
||||||
|
* @param signingKey key that created the certification
|
||||||
|
* @param keyWithUserId key carrying the user-id
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if signature verification is successful
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureType type = SignatureType.valueOf(signature.getSignatureType());
|
||||||
|
switch (type) {
|
||||||
|
case GENERIC_CERTIFICATION:
|
||||||
|
case NO_CERTIFICATION:
|
||||||
|
case CASUAL_CERTIFICATION:
|
||||||
|
case POSITIVE_CERTIFICATION:
|
||||||
|
return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, validationDate);
|
||||||
|
case CERTIFICATION_REVOCATION:
|
||||||
|
return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, validationDate);
|
||||||
|
default:
|
||||||
|
throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a certification self-signature over a user-id.
|
||||||
|
*
|
||||||
|
* @param userId user-id
|
||||||
|
* @param signature certification signature
|
||||||
|
* @param primaryKey primary key
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the self-signature is verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a user-id certification.
|
||||||
|
*
|
||||||
|
* @param userId user-id
|
||||||
|
* @param signature certification signature
|
||||||
|
* @param signingKey key that created the certification
|
||||||
|
* @param keyWithUserId primary key that carries the user-id
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if signature verification is successful
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureValidator.signatureIsCertification().verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a user-id revocation self-signature.
|
||||||
|
*
|
||||||
|
* @param userId user-id
|
||||||
|
* @param signature user-id revocation signature
|
||||||
|
* @param primaryKey primary key
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the user-id revocation signature is successfully verified
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a user-id revocation signature.
|
||||||
|
*
|
||||||
|
* @param userId user-id
|
||||||
|
* @param signature revocation signature
|
||||||
|
* @param signingKey key that created the revocation signature
|
||||||
|
* @param keyWithUserId primary key carrying the user-id
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the user-id revocation signature is successfully verified
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a certification self-signature over a user-attributes packet.
|
||||||
|
*
|
||||||
|
* @param userAttributes user attributes
|
||||||
|
* @param signature certification self-signature
|
||||||
|
* @param primaryKey primary key that carries the user-attributes
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the signature can be verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
|
||||||
|
PGPSignature signature, PGPPublicKey primaryKey,
|
||||||
|
Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a certification signature over a user-attributes packet.
|
||||||
|
*
|
||||||
|
* @param userAttributes user attributes
|
||||||
|
* @param signature certification signature
|
||||||
|
* @param signingKey key that created the user-attributes certification
|
||||||
|
* @param keyWithUserAttributes key that carries the user-attributes certification
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the signature can be verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
|
||||||
|
PGPSignature signature, PGPPublicKey signingKey,
|
||||||
|
PGPPublicKey keyWithUserAttributes, Policy policy,
|
||||||
|
Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureValidator.signatureIsCertification().verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a user-attributes revocation self-signature.
|
||||||
|
*
|
||||||
|
* @param userAttributes user-attributes
|
||||||
|
* @param signature user-attributes revocation signature
|
||||||
|
* @param primaryKey primary key that carries the user-attributes
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the revocation signature can be verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
|
||||||
|
PGPSignature signature, PGPPublicKey primaryKey,
|
||||||
|
Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a user-attributes revocation signature.
|
||||||
|
*
|
||||||
|
* @param userAttributes user-attributes
|
||||||
|
* @param signature revocation signature
|
||||||
|
* @param signingKey revocation key
|
||||||
|
* @param keyWithUserAttributes key that carries the user-attributes
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the revocation signature can be verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
|
||||||
|
PGPSignature signature, PGPPublicKey signingKey,
|
||||||
|
PGPPublicKey keyWithUserAttributes, Policy policy,
|
||||||
|
Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a subkey binding signature.
|
||||||
|
*
|
||||||
|
* @param signature binding signature
|
||||||
|
* @param primaryKey primary key
|
||||||
|
* @param subkey subkey
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the binding signature can be verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
SignatureValidator.hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature);
|
||||||
|
SignatureValidator.correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a subkey revocation signature.
|
||||||
|
*
|
||||||
|
* @param signature subkey revocation signature
|
||||||
|
* @param primaryKey primary key
|
||||||
|
* @param subkey subkey
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the subkey revocation signature can be verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException {
|
||||||
|
SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
SignatureValidator.correctSignatureOverKey(primaryKey, subkey).verify(signature);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a direct-key self-signature.
|
||||||
|
*
|
||||||
|
* @param signature signature
|
||||||
|
* @param primaryKey primary key
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the signature can be verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, validationDate);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a direct-key signature.
|
||||||
|
*
|
||||||
|
* @param signature signature
|
||||||
|
* @param signingKey signing key
|
||||||
|
* @param signedKey signed key
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if signature verification is successful
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey signedKey, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureValidator.signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a key revocation signature.
|
||||||
|
*
|
||||||
|
* @param signature signature
|
||||||
|
* @param primaryKey primary key
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if signature verification is successful
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
SignatureValidator.correctSignatureOverKey(primaryKey, primaryKey).verify(signature);
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initialize a signature and verify it afterwards by updating it with the signed data.
|
||||||
|
*
|
||||||
|
* @param signature OpenPGP signature
|
||||||
|
* @param signedData input stream containing the signed data
|
||||||
|
* @param signingKey the key that created the signature
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date of signature verification
|
||||||
|
* @return true if the signature is successfully verified
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if the signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey, Policy policy, Date validationDate) throws SignatureValidationException {
|
||||||
|
initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey);
|
||||||
|
return verifyInitializedSignature(signature, signingKey, policy, validationDate);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initialize a signature and then update it with the signed data from the given {@link InputStream}.
|
||||||
|
*
|
||||||
|
* @param signature OpenPGP signature
|
||||||
|
* @param signedData input stream containing signed data
|
||||||
|
* @param signingKey key that created the signature
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException in case the signature cannot be verified for some reason
|
||||||
|
*/
|
||||||
|
public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
try {
|
||||||
|
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
|
||||||
|
int read;
|
||||||
|
byte[] buf = new byte[8192];
|
||||||
|
while ((read = signedData.read(buf)) != -1) {
|
||||||
|
signature.update(buf, 0, read);
|
||||||
|
}
|
||||||
|
} catch (PGPException e) {
|
||||||
|
throw new SignatureValidationException("Cannot init signature.", e);
|
||||||
|
} catch (IOException e) {
|
||||||
|
throw new SignatureValidationException("Cannot update signature.", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify an initialized signature.
|
||||||
|
* An initialized signature was already updated with the signed data.
|
||||||
|
*
|
||||||
|
* @param signature OpenPGP signature
|
||||||
|
* @param signingKey key that created the signature
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if signature is verified successfully
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||||
|
|
||||||
|
try {
|
||||||
|
if (!signature.verify()) {
|
||||||
|
throw new SignatureValidationException("Signature is not correct.");
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
} catch (PGPException e) {
|
||||||
|
throw new SignatureValidationException("Could not verify signature correctness.", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignature onePassSignature, Policy policy)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
try {
|
||||||
|
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
||||||
|
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||||
|
SignatureValidator.signatureIsEffective().verify(signature);
|
||||||
|
} catch (SignatureValidationException e) {
|
||||||
|
throw new SignatureValidationException("Signature is not valid: " + e.getMessage(), e);
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
if (!onePassSignature.verify(signature)) {
|
||||||
|
throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
|
||||||
|
}
|
||||||
|
} catch (PGPException e) {
|
||||||
|
throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e);
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verify a signature (certification or revocation) over a user-id.
|
||||||
|
*
|
||||||
|
* @param userId user-id
|
||||||
|
* @param signature self-signature
|
||||||
|
* @param primaryKey primary key that created the signature
|
||||||
|
* @param policy policy
|
||||||
|
* @param validationDate reference date for signature verification
|
||||||
|
* @return true if the signature is successfully verified
|
||||||
|
*
|
||||||
|
* @throws SignatureValidationException if signature verification fails for some reason
|
||||||
|
*/
|
||||||
|
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
|
||||||
|
throws SignatureValidationException {
|
||||||
|
return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, validationDate);
|
||||||
|
}
|
||||||
|
}
|
|
@ -16,7 +16,6 @@
|
||||||
package org.pgpainless.signature;
|
package org.pgpainless.signature;
|
||||||
|
|
||||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
|
||||||
import static org.junit.jupiter.api.Assertions.fail;
|
import static org.junit.jupiter.api.Assertions.fail;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
@ -30,7 +29,7 @@ import org.pgpainless.PGPainless;
|
||||||
import org.pgpainless.exception.SignatureValidationException;
|
import org.pgpainless.exception.SignatureValidationException;
|
||||||
import org.pgpainless.key.OpenPgpV4Fingerprint;
|
import org.pgpainless.key.OpenPgpV4Fingerprint;
|
||||||
|
|
||||||
public class SignatureWasPossibleyMadeByKeyTest {
|
public class SignatureWasPossiblyMadeByKeyTest {
|
||||||
|
|
||||||
public static PGPPublicKeyRing CERT;
|
public static PGPPublicKeyRing CERT;
|
||||||
public static PGPPublicKey SIGKEY;
|
public static PGPPublicKey SIGKEY;
|
||||||
|
@ -103,7 +102,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
||||||
"cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" +
|
"cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" +
|
||||||
"=4ZFC\n" +
|
"=4ZFC\n" +
|
||||||
"-----END PGP SIGNATURE-----";
|
"-----END PGP SIGNATURE-----";
|
||||||
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithIssuer)));
|
assertWasPossiblyMadeByKey(SIGKEY, get(sigWithIssuer));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -123,7 +122,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
||||||
"Q0Quxar3DOTtNNQVrXeoeIlVGue0pNCwg6abDj5N\n" +
|
"Q0Quxar3DOTtNNQVrXeoeIlVGue0pNCwg6abDj5N\n" +
|
||||||
"=IcX1\n" +
|
"=IcX1\n" +
|
||||||
"-----END PGP SIGNATURE-----\n";
|
"-----END PGP SIGNATURE-----\n";
|
||||||
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithHashedIssuer)));
|
assertWasPossiblyMadeByKey(SIGKEY, get(sigWithHashedIssuer));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -144,7 +143,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
||||||
"-----END PGP SIGNATURE-----";
|
"-----END PGP SIGNATURE-----";
|
||||||
|
|
||||||
|
|
||||||
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerNoFingerprint)));
|
assertWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerNoFingerprint));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -165,11 +164,11 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
||||||
"=LBou\n" +
|
"=LBou\n" +
|
||||||
"-----END PGP SIGNATURE-----\n";
|
"-----END PGP SIGNATURE-----\n";
|
||||||
|
|
||||||
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerUnhashedFingerprint)));
|
assertWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerUnhashedFingerprint));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void issuerMismatch() {
|
public void issuerMismatch() throws PGPException, IOException {
|
||||||
String sig = "-----BEGIN PGP SIGNATURE-----\n" +
|
String sig = "-----BEGIN PGP SIGNATURE-----\n" +
|
||||||
"\n" +
|
"\n" +
|
||||||
"wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" +
|
"wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" +
|
||||||
|
@ -185,11 +184,11 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
||||||
"cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" +
|
"cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" +
|
||||||
"=4ZFC\n" +
|
"=4ZFC\n" +
|
||||||
"-----END PGP SIGNATURE-----";
|
"-----END PGP SIGNATURE-----";
|
||||||
assertThrows(SignatureValidationException.class, () -> SignatureValidator.verifyWasPossiblyMadeByKey(NOSIGKEY, get(sig)));
|
assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sig));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void noIssuer_fingerprintMismatch() {
|
public void noIssuer_fingerprintMismatch() throws PGPException, IOException {
|
||||||
String sigWithNoIssuerAndWrongFingerprint = "-----BEGIN PGP SIGNATURE-----\n" +
|
String sigWithNoIssuerAndWrongFingerprint = "-----BEGIN PGP SIGNATURE-----\n" +
|
||||||
"\n" +
|
"\n" +
|
||||||
"wsExBAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" +
|
"wsExBAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" +
|
||||||
|
@ -206,10 +205,19 @@ public class SignatureWasPossibleyMadeByKeyTest {
|
||||||
"=A/zE\n" +
|
"=A/zE\n" +
|
||||||
"-----END PGP SIGNATURE-----\n";
|
"-----END PGP SIGNATURE-----\n";
|
||||||
|
|
||||||
assertThrows(SignatureValidationException.class, () -> SignatureValidator.verifyWasPossiblyMadeByKey(NOSIGKEY, get(sigWithNoIssuerAndWrongFingerprint)));
|
assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sigWithNoIssuerAndWrongFingerprint));
|
||||||
}
|
}
|
||||||
|
|
||||||
private PGPSignature get(String encoded) throws PGPException, IOException {
|
private PGPSignature get(String encoded) throws PGPException, IOException {
|
||||||
return SignatureUtils.readSignatures(encoded).get(0);
|
return SignatureUtils.readSignatures(encoded).get(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void assertWasPossiblyMadeByKey(PGPPublicKey signatureKey, PGPSignature signature) throws SignatureValidationException {
|
||||||
|
SignatureValidator.wasPossiblyMadeByKey(signatureKey).verify(signature);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void assertWasNotPossiblyMadeByKey(PGPPublicKey signatureKey, PGPSignature signature) {
|
||||||
|
assertThrows(SignatureValidationException.class, () -> assertWasPossiblyMadeByKey(signatureKey, signature));
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
Loading…
Reference in a new issue