1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-23 12:52:07 +01:00

Separate Signature verification methods out of SignatureValidator into SignatureVerifier

This commit is contained in:
Paul Schaub 2021-08-18 14:28:36 +02:00
parent 8c3b694a71
commit 3abb796220
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
6 changed files with 529 additions and 473 deletions

View file

@ -33,7 +33,7 @@ import org.pgpainless.exception.SignatureValidationException;
import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.implementation.ImplementationFactory;
import org.pgpainless.policy.Policy; import org.pgpainless.policy.Policy;
import org.pgpainless.signature.SignatureCreationDateComparator; import org.pgpainless.signature.SignatureCreationDateComparator;
import org.pgpainless.signature.SignatureValidator; import org.pgpainless.signature.SignatureVerifier;
import org.pgpainless.util.CollectionUtils; import org.pgpainless.util.CollectionUtils;
public final class KeyRingValidator { public final class KeyRingValidator {
@ -77,7 +77,7 @@ public final class KeyRingValidator {
Collections.sort(directKeyCertifications, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD)); Collections.sort(directKeyCertifications, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
for (PGPSignature signature : directKeyCertifications) { for (PGPSignature signature : directKeyCertifications) {
try { try {
if (SignatureValidator.verifyDirectKeySignature(signature, blank, policy, validationDate)) { if (SignatureVerifier.verifyDirectKeySignature(signature, blank, policy, validationDate)) {
blank = PGPPublicKey.addCertification(blank, signature); blank = PGPPublicKey.addCertification(blank, signature);
} }
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
@ -90,7 +90,7 @@ public final class KeyRingValidator {
Collections.sort(directKeyRevocations, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD)); Collections.sort(directKeyRevocations, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
for (PGPSignature signature : directKeyRevocations) { for (PGPSignature signature : directKeyRevocations) {
try { try {
if (SignatureValidator.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate)) { if (SignatureVerifier.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate)) {
blank = PGPPublicKey.addCertification(blank, signature); blank = PGPPublicKey.addCertification(blank, signature);
} }
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
@ -107,11 +107,11 @@ public final class KeyRingValidator {
for (PGPSignature signature : signatures) { for (PGPSignature signature : signatures) {
try { try {
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) { if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
if (SignatureValidator.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) { if (SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
blank = PGPPublicKey.addCertification(blank, userId, signature); blank = PGPPublicKey.addCertification(blank, userId, signature);
} }
} else { } else {
if (SignatureValidator.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate)) { if (SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate)) {
blank = PGPPublicKey.addCertification(blank, userId, signature); blank = PGPPublicKey.addCertification(blank, userId, signature);
} }
} }
@ -129,11 +129,11 @@ public final class KeyRingValidator {
PGPSignature signature = userAttributeSignatureIterator.next(); PGPSignature signature = userAttributeSignatureIterator.next();
try { try {
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) { if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
if (SignatureValidator.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) { if (SignatureVerifier.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {
blank = PGPPublicKey.addCertification(blank, userAttribute, signature); blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
} }
} else { } else {
if (SignatureValidator.verifyUserAttributesCertification(userAttribute, signature, primaryKey, policy, validationDate)) { if (SignatureVerifier.verifyUserAttributesCertification(userAttribute, signature, primaryKey, policy, validationDate)) {
blank = PGPPublicKey.addCertification(blank, userAttribute, signature); blank = PGPPublicKey.addCertification(blank, userAttribute, signature);
} }
} }

View file

@ -15,7 +15,7 @@
*/ */
package org.pgpainless.signature; package org.pgpainless.signature;
import static org.pgpainless.signature.SignatureValidator.verifyOnePassSignature; import static org.pgpainless.signature.SignatureVerifier.verifyOnePassSignature;
import java.io.InputStream; import java.io.InputStream;
import java.util.ArrayList; import java.util.ArrayList;
@ -40,9 +40,7 @@ import org.pgpainless.policy.Policy;
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
/** /**
* This class implements validity checks on OpenPGP signatures. * A collection of static methods that validate signing certificates (public keys) and verify signature correctness.
* Its responsibilities are checking if a signing key was eligible to create a certain signature
* and if the signature is valid at the time of validation.
*/ */
public final class CertificateValidator { public final class CertificateValidator {
@ -85,7 +83,7 @@ public final class CertificateValidator {
while (primaryKeyRevocationIterator.hasNext()) { while (primaryKeyRevocationIterator.hasNext()) {
PGPSignature revocation = primaryKeyRevocationIterator.next(); PGPSignature revocation = primaryKeyRevocationIterator.next();
try { try {
if (SignatureValidator.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) { if (SignatureVerifier.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) {
directKeySignatures.add(revocation); directKeySignatures.add(revocation);
} }
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
@ -99,7 +97,7 @@ public final class CertificateValidator {
while (keySignatures.hasNext()) { while (keySignatures.hasNext()) {
PGPSignature keySignature = keySignatures.next(); PGPSignature keySignature = keySignatures.next();
try { try {
if (SignatureValidator.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) { if (SignatureVerifier.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) {
directKeySignatures.add(keySignature); directKeySignatures.add(keySignature);
} }
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
@ -125,7 +123,7 @@ public final class CertificateValidator {
while (userIdSigs.hasNext()) { while (userIdSigs.hasNext()) {
PGPSignature userIdSig = userIdSigs.next(); PGPSignature userIdSig = userIdSigs.next();
try { try {
if (SignatureValidator.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) { if (SignatureVerifier.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) {
signaturesOnUserId.add(userIdSig); signaturesOnUserId.add(userIdSig);
} }
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
@ -175,7 +173,7 @@ public final class CertificateValidator {
while (bindingRevocations.hasNext()) { while (bindingRevocations.hasNext()) {
PGPSignature revocation = bindingRevocations.next(); PGPSignature revocation = bindingRevocations.next();
try { try {
if (SignatureValidator.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) { if (SignatureVerifier.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
subkeySigs.add(revocation); subkeySigs.add(revocation);
} }
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
@ -188,7 +186,7 @@ public final class CertificateValidator {
while (bindingSigs.hasNext()) { while (bindingSigs.hasNext()) {
PGPSignature bindingSig = bindingSigs.next(); PGPSignature bindingSig = bindingSigs.next();
try { try {
if (SignatureValidator.verifySubkeyBindingSignature(bindingSig, primaryKey, signingSubkey, policy, signature.getCreationTime())) { if (SignatureVerifier.verifySubkeyBindingSignature(bindingSig, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
subkeySigs.add(bindingSig); subkeySigs.add(bindingSig);
} }
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
@ -244,7 +242,7 @@ public final class CertificateValidator {
throws SignatureValidationException { throws SignatureValidationException {
validateCertificate(signature, signingKeyRing, policy); validateCertificate(signature, signingKeyRing, policy);
long keyId = SignatureUtils.determineIssuerKeyId(signature); long keyId = SignatureUtils.determineIssuerKeyId(signature);
return SignatureValidator.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(keyId), policy, validationDate); return SignatureVerifier.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(keyId), policy, validationDate);
} }
/** /**
@ -262,10 +260,19 @@ public final class CertificateValidator {
validateCertificate(signature, verificationKeys, policy); validateCertificate(signature, verificationKeys, policy);
long keyId = SignatureUtils.determineIssuerKeyId(signature); long keyId = SignatureUtils.determineIssuerKeyId(signature);
PGPPublicKey signingKey = verificationKeys.getPublicKey(keyId); PGPPublicKey signingKey = verificationKeys.getPublicKey(keyId);
SignatureValidator.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime()); SignatureVerifier.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
return true; return true;
} }
/**
* Validate the signing key certificate and the given {@link OnePassSignature}.
*
* @param signature OpenPGP signature from the signed message
* @param onePassSignature corresponding one-pass-signature
* @param policy policy
* @return true if the certificate is valid and the signature is correct, false otherwise.
* @throws SignatureValidationException in case of a validation error
*/
public static boolean validateCertificateAndVerifyOnePassSignature(PGPSignature signature, OnePassSignature onePassSignature, Policy policy) public static boolean validateCertificateAndVerifyOnePassSignature(PGPSignature signature, OnePassSignature onePassSignature, Policy policy)
throws SignatureValidationException { throws SignatureValidationException {
validateCertificate(signature, onePassSignature.getVerificationKeys(), policy); validateCertificate(signature, onePassSignature.getVerificationKeys(), policy);

View file

@ -63,7 +63,7 @@ public final class SignaturePicker {
for (PGPSignature signature : signatures) { for (PGPSignature signature : signatures) {
try { try {
SignatureValidator.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate); SignatureVerifier.verifyKeyRevocationSignature(signature, primaryKey, policy, validationDate);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
// Signature is not valid // Signature is not valid
continue; continue;
@ -102,7 +102,7 @@ public final class SignaturePicker {
PGPSignature mostRecentDirectKeySigBySigningKey = null; PGPSignature mostRecentDirectKeySigBySigningKey = null;
for (PGPSignature signature : directKeySignatures) { for (PGPSignature signature : directKeySignatures) {
try { try {
SignatureValidator.verifyDirectKeySignature(signature, signingKey, signedKey, policy, validationDate); SignatureVerifier.verifyDirectKeySignature(signature, signingKey, signedKey, policy, validationDate);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
// Direct key sig is not valid // Direct key sig is not valid
continue; continue;
@ -180,7 +180,7 @@ public final class SignaturePicker {
PGPSignature latestUserIdRevocation = null; PGPSignature latestUserIdRevocation = null;
for (PGPSignature signature : signatures) { for (PGPSignature signature : signatures) {
try { try {
SignatureValidator.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate); SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
// User-id revocation is not valid // User-id revocation is not valid
continue; continue;
@ -211,7 +211,7 @@ public final class SignaturePicker {
PGPSignature mostRecentUserIdCertification = null; PGPSignature mostRecentUserIdCertification = null;
for (PGPSignature signature : signatures) { for (PGPSignature signature : signatures) {
try { try {
SignatureValidator.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate); SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
// User-id certification is not valid // User-id certification is not valid
continue; continue;
@ -243,7 +243,7 @@ public final class SignaturePicker {
PGPSignature latestUserIdCert = null; PGPSignature latestUserIdCert = null;
for (PGPSignature signature : signatures) { for (PGPSignature signature : signatures) {
try { try {
SignatureValidator.verifyWasPossiblyMadeByKey(primaryKey, signature); SignatureValidator.wasPossiblyMadeByKey(primaryKey).verify(signature);
SignatureValidator.signatureIsCertification().verify(signature); SignatureValidator.signatureIsCertification().verify(signature);
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
SignatureValidator.signatureIsAlreadyEffective(validationDate).verify(signature); SignatureValidator.signatureIsAlreadyEffective(validationDate).verify(signature);
@ -284,7 +284,7 @@ public final class SignaturePicker {
for (PGPSignature signature : signatures) { for (PGPSignature signature : signatures) {
try { try {
SignatureValidator.verifySubkeyBindingRevocation(signature, primaryKey, subkey, policy, validationDate); SignatureVerifier.verifySubkeyBindingRevocation(signature, primaryKey, subkey, policy, validationDate);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
// subkey binding revocation is not valid // subkey binding revocation is not valid
continue; continue;
@ -316,7 +316,7 @@ public final class SignaturePicker {
for (PGPSignature signature : subkeyBindingSigs) { for (PGPSignature signature : subkeyBindingSigs) {
try { try {
SignatureValidator.verifySubkeyBindingSignature(signature, primaryKey, subkey, policy, validationDate); SignatureVerifier.verifySubkeyBindingSignature(signature, primaryKey, subkey, policy, validationDate);
} catch (SignatureValidationException validationException) { } catch (SignatureValidationException validationException) {
// Subkey binding sig is not valid // Subkey binding sig is not valid
continue; continue;

View file

@ -15,8 +15,6 @@
*/ */
package org.pgpainless.signature; package org.pgpainless.signature;
import java.io.IOException;
import java.io.InputStream;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Arrays; import java.util.Arrays;
import java.util.Date; import java.util.Date;
@ -48,456 +46,48 @@ import org.pgpainless.util.BCUtil;
import org.pgpainless.util.DateUtil; import org.pgpainless.util.DateUtil;
import org.pgpainless.util.NotationRegistry; import org.pgpainless.util.NotationRegistry;
/**
* A collection of validators that perform validation steps over signatures.
*/
public abstract class SignatureValidator { public abstract class SignatureValidator {
public abstract void verify(PGPSignature signature) throws SignatureValidationException; public abstract void verify(PGPSignature signature) throws SignatureValidationException;
/**
* Initialize a signature and verify it afterwards by updating it with the signed data.
*
* @param signature OpenPGP signature
* @param signedData input stream containing the signed data
* @param signingKey the key that created the signature
* @param policy policy
* @param validationDate reference date of signature verification
* @return true if the signature is successfully verified
*
* @throws SignatureValidationException if the signature verification fails for some reason
*/
public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey, Policy policy, Date validationDate) throws SignatureValidationException {
initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey);
return verifyInitializedSignature(signature, signingKey, policy, validationDate);
}
/**
* Initialize a signature and then update it with the signed data from the given {@link InputStream}.
*
* @param signature OpenPGP signature
* @param signedData input stream containing signed data
* @param signingKey key that created the signature
*
* @throws SignatureValidationException in case the signature cannot be verified for some reason
*/
public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey)
throws SignatureValidationException {
try {
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
int read;
byte[] buf = new byte[8192];
while ((read = signedData.read(buf)) != -1) {
signature.update(buf, 0, read);
}
} catch (PGPException e) {
throw new SignatureValidationException("Cannot init signature.", e);
} catch (IOException e) {
throw new SignatureValidationException("Cannot update signature.", e);
}
}
/**
* Verify an initialized signature.
* An initialized signature was already updated with the signed data.
*
* @param signature OpenPGP signature
* @param signingKey key that created the signature
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature is verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy, Date validationDate)
throws SignatureValidationException {
verifyWasPossiblyMadeByKey(signingKey, signature);
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
try {
if (!signature.verify()) {
throw new SignatureValidationException("Signature is not correct.");
}
return true;
} catch (PGPException e) {
throw new SignatureValidationException("Could not verify signature correctness.", e);
}
}
public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignature onePassSignature, Policy policy)
throws SignatureValidationException {
try {
verifyWasPossiblyMadeByKey(signingKey, signature);
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
signatureIsEffective().verify(signature);
} catch (SignatureValidationException e) {
throw new SignatureValidationException("Signature is not valid: " + e.getMessage(), e);
}
try {
if (!onePassSignature.verify(signature)) {
throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
}
} catch (PGPException e) {
throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e);
}
return true;
}
/**
* Verify a signature (certification or revocation) over a user-id.
*
* @param userId user-id
* @param signature self-signature
* @param primaryKey primary key that created the signature
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the signature is successfully verified
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a signature (certification or revocation) over a user-id.
*
* @param userId user-id
* @param signature certification signature
* @param signingKey key that created the certification
* @param keyWithUserId key carrying the user-id
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature verification is successful
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureType type = SignatureType.valueOf(signature.getSignatureType());
switch (type) {
case GENERIC_CERTIFICATION:
case NO_CERTIFICATION:
case CASUAL_CERTIFICATION:
case POSITIVE_CERTIFICATION:
return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, validationDate);
case CERTIFICATION_REVOCATION:
return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, validationDate);
default:
throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type);
}
}
/** /**
* Check, whether there is the possibility that the given signature was created by the given key. * Check, whether there is the possibility that the given signature was created by the given key.
* This method throws a {@link SignatureValidationException} if we can say with certainty that the signature * {@link #verify(PGPSignature)} throws a {@link SignatureValidationException} if we can say with certainty that the signature
* was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet). * was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet).
* *
* If there is no information found in the signature about who created it (no issuer, no fingerprint), * If there is no information found in the signature about who created it (no issuer, no fingerprint),
* return true since it is plausible that the given key created the sig. * {@link #verify(PGPSignature)} will simply return since it is plausible that the given key created the sig.
* *
* @param signingKey signing key * @param signingKey signing key
* @param signature signature * @return validator that throws a {@link SignatureValidationException} if the signature was not possibly made by the given key.
* @return true only if the signing key either created the signature or the signature doesn't carry signer information
* @throws SignatureValidationException if the sig was not created by the key
*/ */
public static boolean verifyWasPossiblyMadeByKey(PGPPublicKey signingKey, PGPSignature signature) throws SignatureValidationException { public static SignatureValidator wasPossiblyMadeByKey(PGPPublicKey signingKey) {
OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(signingKey); return new SignatureValidator() {
@Override
public void verify(PGPSignature signature) throws SignatureValidationException {
OpenPgpV4Fingerprint signingKeyFingerprint = new OpenPgpV4Fingerprint(signingKey);
Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature); Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
if (issuer != null) { if (issuer != null) {
if (issuer != signingKey.getKeyID()) { if (issuer != signingKey.getKeyID()) {
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")"); throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
} else { }
return true; }
OpenPgpV4Fingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature);
if (fingerprint != null) {
if (!fingerprint.equals(signingKeyFingerprint)) {
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
}
}
// No issuer information found, so we cannot rule out that we did not create the sig
} }
} };
OpenPgpV4Fingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature);
if (fingerprint != null) {
if (!fingerprint.equals(signingKeyFingerprint)) {
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
} else {
return true;
}
}
// No issuer information found, so we cannot rule out that we did not create the sig
return true;
}
/**
* Verify a certification self-signature over a user-id.
*
* @param userId user-id
* @param signature certification signature
* @param primaryKey primary key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the self-signature is verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a user-id certification.
*
* @param userId user-id
* @param signature certification signature
* @param signingKey key that created the certification
* @param keyWithUserId primary key that carries the user-id
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature verification is successful
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
throws SignatureValidationException {
signatureIsCertification().verify(signature);
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
return true;
}
/**
* Verify a user-id revocation self-signature.
*
* @param userId user-id
* @param signature user-id revocation signature
* @param primaryKey primary key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the user-id revocation signature is successfully verified
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a user-id revocation signature.
*
* @param userId user-id
* @param signature revocation signature
* @param signingKey key that created the revocation signature
* @param keyWithUserId primary key carrying the user-id
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the user-id revocation signature is successfully verified
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
throws SignatureValidationException {
signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
return true;
}
/**
* Verify a certification self-signature over a user-attributes packet.
*
* @param userAttributes user attributes
* @param signature certification self-signature
* @param primaryKey primary key that carries the user-attributes
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a certification signature over a user-attributes packet.
*
* @param userAttributes user attributes
* @param signature certification signature
* @param signingKey key that created the user-attributes certification
* @param keyWithUserAttributes key that carries the user-attributes certification
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserAttributes, Policy policy,
Date validationDate)
throws SignatureValidationException {
signatureIsCertification().verify(signature);
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
return true;
}
/**
* Verify a user-attributes revocation self-signature.
*
* @param userAttributes user-attributes
* @param signature user-attributes revocation signature
* @param primaryKey primary key that carries the user-attributes
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the revocation signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a user-attributes revocation signature.
*
* @param userAttributes user-attributes
* @param signature revocation signature
* @param signingKey revocation key
* @param keyWithUserAttributes key that carries the user-attributes
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the revocation signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserAttributes, Policy policy,
Date validationDate)
throws SignatureValidationException {
signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
return true;
}
/**
* Verify a subkey binding signature.
*
* @param signature binding signature
* @param primaryKey primary key
* @param subkey subkey
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the binding signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate)
throws SignatureValidationException {
signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature);
correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
return true;
}
/**
* Verify a subkey revocation signature.
*
* @param signature subkey revocation signature
* @param primaryKey primary key
* @param subkey subkey
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the subkey revocation signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException {
signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
correctSignatureOverKey(primaryKey, subkey).verify(signature);
return true;
}
/**
* Verify a direct-key self-signature.
*
* @param signature signature
* @param primaryKey primary key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a direct-key signature.
*
* @param signature signature
* @param signingKey signing key
* @param signedKey signed key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature verification is successful
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey signedKey, Policy policy, Date validationDate)
throws SignatureValidationException {
signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
correctSignatureOverKey(signingKey, signedKey).verify(signature);
return true;
}
/**
* Verify a key revocation signature.
*
* @param signature signature
* @param primaryKey primary key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature verification is successful
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature);
signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
signatureIsEffective(validationDate).verify(signature);
correctSignatureOverKey(primaryKey, primaryKey).verify(signature);
return true;
} }
/** /**
@ -510,7 +100,7 @@ public abstract class SignatureValidator {
* @param validationDate reference date for signature verification * @param validationDate reference date for signature verification
* @return validator * @return validator
*/ */
private static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) { public static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) {
return new SignatureValidator() { return new SignatureValidator() {
@Override @Override
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {

View file

@ -0,0 +1,451 @@
/*
* Copyright 2021 Paul Schaub.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.pgpainless.signature;
import java.io.IOException;
import java.io.InputStream;
import java.util.Date;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
import org.pgpainless.algorithm.SignatureType;
import org.pgpainless.exception.SignatureValidationException;
import org.pgpainless.implementation.ImplementationFactory;
import org.pgpainless.policy.Policy;
/**
* Collection of static methods for signature verification.
* Signature verification entails validation of certain criteria (see {@link SignatureValidator}, as well as
* cryptographic verification of signature correctness.
*/
public final class SignatureVerifier {
private SignatureVerifier() {
}
/**
* Verify a signature (certification or revocation) over a user-id.
*
* @param userId user-id
* @param signature certification signature
* @param signingKey key that created the certification
* @param keyWithUserId key carrying the user-id
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature verification is successful
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureType type = SignatureType.valueOf(signature.getSignatureType());
switch (type) {
case GENERIC_CERTIFICATION:
case NO_CERTIFICATION:
case CASUAL_CERTIFICATION:
case POSITIVE_CERTIFICATION:
return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, validationDate);
case CERTIFICATION_REVOCATION:
return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, validationDate);
default:
throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type);
}
}
/**
* Verify a certification self-signature over a user-id.
*
* @param userId user-id
* @param signature certification signature
* @param primaryKey primary key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the self-signature is verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a user-id certification.
*
* @param userId user-id
* @param signature certification signature
* @param signingKey key that created the certification
* @param keyWithUserId primary key that carries the user-id
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature verification is successful
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureValidator.signatureIsCertification().verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
return true;
}
/**
* Verify a user-id revocation self-signature.
*
* @param userId user-id
* @param signature user-id revocation signature
* @param primaryKey primary key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the user-id revocation signature is successfully verified
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a user-id revocation signature.
*
* @param userId user-id
* @param signature revocation signature
* @param signingKey key that created the revocation signature
* @param keyWithUserId primary key carrying the user-id
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the user-id revocation signature is successfully verified
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
return true;
}
/**
* Verify a certification self-signature over a user-attributes packet.
*
* @param userAttributes user attributes
* @param signature certification self-signature
* @param primaryKey primary key that carries the user-attributes
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a certification signature over a user-attributes packet.
*
* @param userAttributes user attributes
* @param signature certification signature
* @param signingKey key that created the user-attributes certification
* @param keyWithUserAttributes key that carries the user-attributes certification
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserAttributes, Policy policy,
Date validationDate)
throws SignatureValidationException {
SignatureValidator.signatureIsCertification().verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
return true;
}
/**
* Verify a user-attributes revocation self-signature.
*
* @param userAttributes user-attributes
* @param signature user-attributes revocation signature
* @param primaryKey primary key that carries the user-attributes
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the revocation signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a user-attributes revocation signature.
*
* @param userAttributes user-attributes
* @param signature revocation signature
* @param signingKey revocation key
* @param keyWithUserAttributes key that carries the user-attributes
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the revocation signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserAttributes, Policy policy,
Date validationDate)
throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature);
return true;
}
/**
* Verify a subkey binding signature.
*
* @param signature binding signature
* @param primaryKey primary key
* @param subkey subkey
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the binding signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
SignatureValidator.hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature);
SignatureValidator.correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
return true;
}
/**
* Verify a subkey revocation signature.
*
* @param signature subkey revocation signature
* @param primaryKey primary key
* @param subkey subkey
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the subkey revocation signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
SignatureValidator.correctSignatureOverKey(primaryKey, subkey).verify(signature);
return true;
}
/**
* Verify a direct-key self-signature.
*
* @param signature signature
* @param primaryKey primary key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the signature can be verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, validationDate);
}
/**
* Verify a direct-key signature.
*
* @param signature signature
* @param signingKey signing key
* @param signedKey signed key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature verification is successful
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey signedKey, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature);
return true;
}
/**
* Verify a key revocation signature.
*
* @param signature signature
* @param primaryKey primary key
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature verification is successful
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
SignatureValidator.correctSignatureOverKey(primaryKey, primaryKey).verify(signature);
return true;
}
/**
* Initialize a signature and verify it afterwards by updating it with the signed data.
*
* @param signature OpenPGP signature
* @param signedData input stream containing the signed data
* @param signingKey the key that created the signature
* @param policy policy
* @param validationDate reference date of signature verification
* @return true if the signature is successfully verified
*
* @throws SignatureValidationException if the signature verification fails for some reason
*/
public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey, Policy policy, Date validationDate) throws SignatureValidationException {
initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey);
return verifyInitializedSignature(signature, signingKey, policy, validationDate);
}
/**
* Initialize a signature and then update it with the signed data from the given {@link InputStream}.
*
* @param signature OpenPGP signature
* @param signedData input stream containing signed data
* @param signingKey key that created the signature
*
* @throws SignatureValidationException in case the signature cannot be verified for some reason
*/
public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey)
throws SignatureValidationException {
try {
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
int read;
byte[] buf = new byte[8192];
while ((read = signedData.read(buf)) != -1) {
signature.update(buf, 0, read);
}
} catch (PGPException e) {
throw new SignatureValidationException("Cannot init signature.", e);
} catch (IOException e) {
throw new SignatureValidationException("Cannot update signature.", e);
}
}
/**
* Verify an initialized signature.
* An initialized signature was already updated with the signed data.
*
* @param signature OpenPGP signature
* @param signingKey key that created the signature
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if signature is verified successfully
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
try {
if (!signature.verify()) {
throw new SignatureValidationException("Signature is not correct.");
}
return true;
} catch (PGPException e) {
throw new SignatureValidationException("Could not verify signature correctness.", e);
}
}
public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignature onePassSignature, Policy policy)
throws SignatureValidationException {
try {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective().verify(signature);
} catch (SignatureValidationException e) {
throw new SignatureValidationException("Signature is not valid: " + e.getMessage(), e);
}
try {
if (!onePassSignature.verify(signature)) {
throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
}
} catch (PGPException e) {
throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e);
}
return true;
}
/**
* Verify a signature (certification or revocation) over a user-id.
*
* @param userId user-id
* @param signature self-signature
* @param primaryKey primary key that created the signature
* @param policy policy
* @param validationDate reference date for signature verification
* @return true if the signature is successfully verified
*
* @throws SignatureValidationException if signature verification fails for some reason
*/
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate)
throws SignatureValidationException {
return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, validationDate);
}
}

View file

@ -16,7 +16,6 @@
package org.pgpainless.signature; package org.pgpainless.signature;
import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail; import static org.junit.jupiter.api.Assertions.fail;
import java.io.IOException; import java.io.IOException;
@ -30,7 +29,7 @@ import org.pgpainless.PGPainless;
import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.exception.SignatureValidationException;
import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.OpenPgpV4Fingerprint;
public class SignatureWasPossibleyMadeByKeyTest { public class SignatureWasPossiblyMadeByKeyTest {
public static PGPPublicKeyRing CERT; public static PGPPublicKeyRing CERT;
public static PGPPublicKey SIGKEY; public static PGPPublicKey SIGKEY;
@ -103,7 +102,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
"cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" + "cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" +
"=4ZFC\n" + "=4ZFC\n" +
"-----END PGP SIGNATURE-----"; "-----END PGP SIGNATURE-----";
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithIssuer))); assertWasPossiblyMadeByKey(SIGKEY, get(sigWithIssuer));
} }
@Test @Test
@ -123,7 +122,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
"Q0Quxar3DOTtNNQVrXeoeIlVGue0pNCwg6abDj5N\n" + "Q0Quxar3DOTtNNQVrXeoeIlVGue0pNCwg6abDj5N\n" +
"=IcX1\n" + "=IcX1\n" +
"-----END PGP SIGNATURE-----\n"; "-----END PGP SIGNATURE-----\n";
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithHashedIssuer))); assertWasPossiblyMadeByKey(SIGKEY, get(sigWithHashedIssuer));
} }
@Test @Test
@ -144,7 +143,7 @@ public class SignatureWasPossibleyMadeByKeyTest {
"-----END PGP SIGNATURE-----"; "-----END PGP SIGNATURE-----";
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerNoFingerprint))); assertWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerNoFingerprint));
} }
@Test @Test
@ -165,11 +164,11 @@ public class SignatureWasPossibleyMadeByKeyTest {
"=LBou\n" + "=LBou\n" +
"-----END PGP SIGNATURE-----\n"; "-----END PGP SIGNATURE-----\n";
assertTrue(SignatureValidator.verifyWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerUnhashedFingerprint))); assertWasPossiblyMadeByKey(SIGKEY, get(sigWithNoIssuerUnhashedFingerprint));
} }
@Test @Test
public void issuerMismatch() { public void issuerMismatch() throws PGPException, IOException {
String sig = "-----BEGIN PGP SIGNATURE-----\n" + String sig = "-----BEGIN PGP SIGNATURE-----\n" +
"\n" + "\n" +
"wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + "wsE7BAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" +
@ -185,11 +184,11 @@ public class SignatureWasPossibleyMadeByKeyTest {
"cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" + "cqP71SMuOwD+JNuWQCd4e1WaTWNXrB1xerzmuWFc\n" +
"=4ZFC\n" + "=4ZFC\n" +
"-----END PGP SIGNATURE-----"; "-----END PGP SIGNATURE-----";
assertThrows(SignatureValidationException.class, () -> SignatureValidator.verifyWasPossiblyMadeByKey(NOSIGKEY, get(sig))); assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sig));
} }
@Test @Test
public void noIssuer_fingerprintMismatch() { public void noIssuer_fingerprintMismatch() throws PGPException, IOException {
String sigWithNoIssuerAndWrongFingerprint = "-----BEGIN PGP SIGNATURE-----\n" + String sigWithNoIssuerAndWrongFingerprint = "-----BEGIN PGP SIGNATURE-----\n" +
"\n" + "\n" +
"wsExBAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" + "wsExBAABCABlBYJgyf21RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt\n" +
@ -206,10 +205,19 @@ public class SignatureWasPossibleyMadeByKeyTest {
"=A/zE\n" + "=A/zE\n" +
"-----END PGP SIGNATURE-----\n"; "-----END PGP SIGNATURE-----\n";
assertThrows(SignatureValidationException.class, () -> SignatureValidator.verifyWasPossiblyMadeByKey(NOSIGKEY, get(sigWithNoIssuerAndWrongFingerprint))); assertWasNotPossiblyMadeByKey(NOSIGKEY, get(sigWithNoIssuerAndWrongFingerprint));
} }
private PGPSignature get(String encoded) throws PGPException, IOException { private PGPSignature get(String encoded) throws PGPException, IOException {
return SignatureUtils.readSignatures(encoded).get(0); return SignatureUtils.readSignatures(encoded).get(0);
} }
private void assertWasPossiblyMadeByKey(PGPPublicKey signatureKey, PGPSignature signature) throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signatureKey).verify(signature);
}
private void assertWasNotPossiblyMadeByKey(PGPPublicKey signatureKey, PGPSignature signature) {
assertThrows(SignatureValidationException.class, () -> assertWasPossiblyMadeByKey(signatureKey, signature));
}
} }