1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-12-27 05:17:59 +01:00

Verify that keys can carry certain key flags

This commit is contained in:
Paul Schaub 2021-01-03 17:01:08 +01:00
parent 2378162953
commit 5143da1311
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
10 changed files with 167 additions and 11 deletions

View file

@ -38,10 +38,35 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
@Override
public WithDetailedConfiguration withKeyFlags(@Nonnull KeyFlag... flags) {
assureKeyCanCarryFlags(flags);
this.hashedSubPackets.setKeyFlags(false, KeyFlag.toBitmask(flags));
return new WithDetailedConfigurationImpl();
}
private void assureKeyCanCarryFlags(KeyFlag... flags) {
final int mask = KeyFlag.toBitmask(flags);
if (!type.canCertify() && KeyFlag.hasKeyFlag(mask, KeyFlag.CERTIFY_OTHER)) {
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag CERTIFY_OTHER.");
}
if (!type.canSign() && KeyFlag.hasKeyFlag(mask, KeyFlag.SIGN_DATA)) {
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag SIGN_DATA.");
}
if (!type.canEncryptCommunication() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_COMMS)) {
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag ENCRYPT_COMMS.");
}
if (!type.canEncryptStorage() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_STORAGE)) {
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag ENCRYPT_STORAGE.");
}
if (!type.canAuthenticate() && KeyFlag.hasKeyFlag(mask, KeyFlag.AUTHENTICATION)) {
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag AUTHENTIACTION.");
}
}
@Override
public KeySpec withInheritedSubPackets() {
return new KeySpec(type, null, true);

View file

@ -52,12 +52,50 @@ public interface KeyType {
AlgorithmParameterSpec getAlgorithmSpec();
/**
* Return true if the key that is generated from this type is able to carry the CERTIFY_OTHERS key flag.
* Return true if the key that is generated from this type is able to carry the SIGN_DATA key flag.
* See {@link org.pgpainless.algorithm.KeyFlag#SIGN_DATA}.
*
* @return true if the key can sign.
*/
boolean canSign();
/**
* Return true if the key that is generated from this type is able to carry the CERTIFY_OTHER key flag.
* See {@link org.pgpainless.algorithm.KeyFlag#CERTIFY_OTHER}.
*
* @return true if the key is able to certify others
* @return true if the key is able to certify other keys
*/
boolean canCertify();
default boolean canCertify() {
return canSign();
}
/**
* Return true if the key that is generated from this type is able to carry the AUTHENTICATION key flag.
* See {@link org.pgpainless.algorithm.KeyFlag#AUTHENTICATION}.
*
* @return true if the key is able to be used for authentication purposes.
*/
default boolean canAuthenticate() {
return canSign();
}
/**
* Return true if the key that is generated from this type is able to carry the ENCRYPT_COMMS key flag.
* See {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_COMMS}.
*
* @return true if the key can encrypt communication
*/
boolean canEncryptCommunication();
/**
* Return true if the key that is generated from this type is able to carry the ENCRYPT_STORAGE key flag.
* See {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_STORAGE}.
*
* @return true if the key can encrypt for storage
*/
default boolean canEncryptStorage() {
return canEncryptCommunication();
}
static KeyType RSA(RsaLength length) {
return RSA.withLength(length);

View file

@ -51,7 +51,12 @@ public final class ECDH implements KeyType {
}
@Override
public boolean canCertify() {
public boolean canSign() {
return false;
}
@Override
public boolean canEncryptCommunication() {
return true;
}
}

View file

@ -52,7 +52,13 @@ public final class ECDSA implements KeyType {
}
@Override
public boolean canCertify() {
public boolean canSign() {
return true;
}
@Override
public boolean canEncryptCommunication() {
return false;
}
}

View file

@ -52,7 +52,12 @@ public final class EdDSA implements KeyType {
}
@Override
public boolean canCertify() {
public boolean canSign() {
return true;
}
@Override
public boolean canEncryptCommunication() {
return false;
}
}

View file

@ -50,7 +50,13 @@ public final class ElGamal_ENCRYPT implements KeyType {
}
@Override
public boolean canCertify() {
public boolean canSign() {
return false;
}
@Override
public boolean canEncryptCommunication() {
return true;
}
}

View file

@ -51,7 +51,12 @@ public class ElGamal_GENERAL implements KeyType {
}
@Override
public boolean canCertify() {
return false;
public boolean canSign() {
return true;
}
@Override
public boolean canEncryptCommunication() {
return true;
}
}

View file

@ -53,7 +53,12 @@ public class RSA implements KeyType {
}
@Override
public boolean canCertify() {
public boolean canSign() {
return true;
}
@Override
public boolean canEncryptCommunication() {
return true;
}
}

View file

@ -49,7 +49,12 @@ public final class XDH implements KeyType {
}
@Override
public boolean canCertify() {
public boolean canSign() {
return false;
}
@Override
public boolean canEncryptCommunication() {
return true;
}
}

View file

@ -0,0 +1,56 @@
/*
* Copyright 2021 Paul Schaub.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.pgpainless.key.generation;
import static org.junit.jupiter.api.Assertions.assertThrows;
import org.junit.jupiter.api.Test;
import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.KeyFlag;
import org.pgpainless.key.generation.type.KeyType;
import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
import org.pgpainless.key.generation.type.xdh.XDHCurve;
public class IllegalKeyFlagsTest {
@Test
public void testKeyCannotCarryFlagsTest() {
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
.withMasterKey(KeySpec.getBuilder(KeyType.XDH(XDHCurve._X25519))
.withKeyFlags(KeyFlag.SIGN_DATA) // <- should throw
.withDefaultAlgorithms()));
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
.withMasterKey(KeySpec.getBuilder(KeyType.XDH(XDHCurve._X25519))
.withKeyFlags(KeyFlag.CERTIFY_OTHER) // <- should throw
.withDefaultAlgorithms()));
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
.withMasterKey(KeySpec.getBuilder(KeyType.XDH(XDHCurve._X25519))
.withKeyFlags(KeyFlag.AUTHENTICATION) // <- should throw
.withDefaultAlgorithms()));
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
.withMasterKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519))
.withKeyFlags(KeyFlag.ENCRYPT_COMMS) // <- should throw
.withDefaultAlgorithms()));
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
.withMasterKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519))
.withKeyFlags(KeyFlag.ENCRYPT_STORAGE) // <- should throw as well
.withDefaultAlgorithms()));
}
}