mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-11-30 00:02:06 +01:00
Verify that keys can carry certain key flags
This commit is contained in:
parent
2378162953
commit
5143da1311
10 changed files with 167 additions and 11 deletions
|
@ -38,10 +38,35 @@ public class KeySpecBuilder implements KeySpecBuilderInterface {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public WithDetailedConfiguration withKeyFlags(@Nonnull KeyFlag... flags) {
|
public WithDetailedConfiguration withKeyFlags(@Nonnull KeyFlag... flags) {
|
||||||
|
assureKeyCanCarryFlags(flags);
|
||||||
this.hashedSubPackets.setKeyFlags(false, KeyFlag.toBitmask(flags));
|
this.hashedSubPackets.setKeyFlags(false, KeyFlag.toBitmask(flags));
|
||||||
return new WithDetailedConfigurationImpl();
|
return new WithDetailedConfigurationImpl();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void assureKeyCanCarryFlags(KeyFlag... flags) {
|
||||||
|
final int mask = KeyFlag.toBitmask(flags);
|
||||||
|
|
||||||
|
if (!type.canCertify() && KeyFlag.hasKeyFlag(mask, KeyFlag.CERTIFY_OTHER)) {
|
||||||
|
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag CERTIFY_OTHER.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!type.canSign() && KeyFlag.hasKeyFlag(mask, KeyFlag.SIGN_DATA)) {
|
||||||
|
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag SIGN_DATA.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!type.canEncryptCommunication() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_COMMS)) {
|
||||||
|
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag ENCRYPT_COMMS.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!type.canEncryptStorage() && KeyFlag.hasKeyFlag(mask, KeyFlag.ENCRYPT_STORAGE)) {
|
||||||
|
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag ENCRYPT_STORAGE.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!type.canAuthenticate() && KeyFlag.hasKeyFlag(mask, KeyFlag.AUTHENTICATION)) {
|
||||||
|
throw new IllegalArgumentException("KeyType " + type.getName() + " cannot carry key flag AUTHENTIACTION.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public KeySpec withInheritedSubPackets() {
|
public KeySpec withInheritedSubPackets() {
|
||||||
return new KeySpec(type, null, true);
|
return new KeySpec(type, null, true);
|
||||||
|
|
|
@ -52,12 +52,50 @@ public interface KeyType {
|
||||||
AlgorithmParameterSpec getAlgorithmSpec();
|
AlgorithmParameterSpec getAlgorithmSpec();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return true if the key that is generated from this type is able to carry the CERTIFY_OTHERS key flag.
|
* Return true if the key that is generated from this type is able to carry the SIGN_DATA key flag.
|
||||||
|
* See {@link org.pgpainless.algorithm.KeyFlag#SIGN_DATA}.
|
||||||
|
*
|
||||||
|
* @return true if the key can sign.
|
||||||
|
*/
|
||||||
|
boolean canSign();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return true if the key that is generated from this type is able to carry the CERTIFY_OTHER key flag.
|
||||||
* See {@link org.pgpainless.algorithm.KeyFlag#CERTIFY_OTHER}.
|
* See {@link org.pgpainless.algorithm.KeyFlag#CERTIFY_OTHER}.
|
||||||
*
|
*
|
||||||
* @return true if the key is able to certify others
|
* @return true if the key is able to certify other keys
|
||||||
*/
|
*/
|
||||||
boolean canCertify();
|
default boolean canCertify() {
|
||||||
|
return canSign();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return true if the key that is generated from this type is able to carry the AUTHENTICATION key flag.
|
||||||
|
* See {@link org.pgpainless.algorithm.KeyFlag#AUTHENTICATION}.
|
||||||
|
*
|
||||||
|
* @return true if the key is able to be used for authentication purposes.
|
||||||
|
*/
|
||||||
|
default boolean canAuthenticate() {
|
||||||
|
return canSign();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return true if the key that is generated from this type is able to carry the ENCRYPT_COMMS key flag.
|
||||||
|
* See {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_COMMS}.
|
||||||
|
*
|
||||||
|
* @return true if the key can encrypt communication
|
||||||
|
*/
|
||||||
|
boolean canEncryptCommunication();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return true if the key that is generated from this type is able to carry the ENCRYPT_STORAGE key flag.
|
||||||
|
* See {@link org.pgpainless.algorithm.KeyFlag#ENCRYPT_STORAGE}.
|
||||||
|
*
|
||||||
|
* @return true if the key can encrypt for storage
|
||||||
|
*/
|
||||||
|
default boolean canEncryptStorage() {
|
||||||
|
return canEncryptCommunication();
|
||||||
|
}
|
||||||
|
|
||||||
static KeyType RSA(RsaLength length) {
|
static KeyType RSA(RsaLength length) {
|
||||||
return RSA.withLength(length);
|
return RSA.withLength(length);
|
||||||
|
|
|
@ -51,7 +51,12 @@ public final class ECDH implements KeyType {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean canCertify() {
|
public boolean canSign() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean canEncryptCommunication() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -52,7 +52,13 @@ public final class ECDSA implements KeyType {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean canCertify() {
|
public boolean canSign() {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean canEncryptCommunication() {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -52,7 +52,12 @@ public final class EdDSA implements KeyType {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean canCertify() {
|
public boolean canSign() {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean canEncryptCommunication() {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -50,7 +50,13 @@ public final class ElGamal_ENCRYPT implements KeyType {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean canCertify() {
|
public boolean canSign() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean canEncryptCommunication() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -51,7 +51,12 @@ public class ElGamal_GENERAL implements KeyType {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean canCertify() {
|
public boolean canSign() {
|
||||||
return false;
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean canEncryptCommunication() {
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -53,7 +53,12 @@ public class RSA implements KeyType {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean canCertify() {
|
public boolean canSign() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean canEncryptCommunication() {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -49,7 +49,12 @@ public final class XDH implements KeyType {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean canCertify() {
|
public boolean canSign() {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean canEncryptCommunication() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 Paul Schaub.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.pgpainless.key.generation;
|
||||||
|
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||||
|
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
import org.pgpainless.PGPainless;
|
||||||
|
import org.pgpainless.algorithm.KeyFlag;
|
||||||
|
import org.pgpainless.key.generation.type.KeyType;
|
||||||
|
import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
|
||||||
|
import org.pgpainless.key.generation.type.xdh.XDHCurve;
|
||||||
|
|
||||||
|
public class IllegalKeyFlagsTest {
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testKeyCannotCarryFlagsTest() {
|
||||||
|
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
|
||||||
|
.withMasterKey(KeySpec.getBuilder(KeyType.XDH(XDHCurve._X25519))
|
||||||
|
.withKeyFlags(KeyFlag.SIGN_DATA) // <- should throw
|
||||||
|
.withDefaultAlgorithms()));
|
||||||
|
|
||||||
|
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
|
||||||
|
.withMasterKey(KeySpec.getBuilder(KeyType.XDH(XDHCurve._X25519))
|
||||||
|
.withKeyFlags(KeyFlag.CERTIFY_OTHER) // <- should throw
|
||||||
|
.withDefaultAlgorithms()));
|
||||||
|
|
||||||
|
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
|
||||||
|
.withMasterKey(KeySpec.getBuilder(KeyType.XDH(XDHCurve._X25519))
|
||||||
|
.withKeyFlags(KeyFlag.AUTHENTICATION) // <- should throw
|
||||||
|
.withDefaultAlgorithms()));
|
||||||
|
|
||||||
|
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
|
||||||
|
.withMasterKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519))
|
||||||
|
.withKeyFlags(KeyFlag.ENCRYPT_COMMS) // <- should throw
|
||||||
|
.withDefaultAlgorithms()));
|
||||||
|
|
||||||
|
assertThrows(IllegalArgumentException.class, () -> PGPainless.generateKeyRing()
|
||||||
|
.withMasterKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519))
|
||||||
|
.withKeyFlags(KeyFlag.ENCRYPT_STORAGE) // <- should throw as well
|
||||||
|
.withDefaultAlgorithms()));
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue