mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-11-23 12:52:07 +01:00
Verify notBefore and notAfter on any message signatures
This commit is contained in:
parent
099b160656
commit
5a9b8a2c50
5 changed files with 247 additions and 26 deletions
|
@ -15,6 +15,8 @@
|
||||||
*/
|
*/
|
||||||
package org.pgpainless.decryption_verification;
|
package org.pgpainless.decryption_verification;
|
||||||
|
|
||||||
|
import static org.pgpainless.signature.SignatureValidator.verifySignatureCreationTimeIsInBounds;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -39,15 +41,18 @@ public class DecryptionStream extends InputStream {
|
||||||
private static final Logger LOGGER = Logger.getLogger(DecryptionStream.class.getName());
|
private static final Logger LOGGER = Logger.getLogger(DecryptionStream.class.getName());
|
||||||
|
|
||||||
private final InputStream inputStream;
|
private final InputStream inputStream;
|
||||||
|
private final ConsumerOptions options;
|
||||||
private final OpenPgpMetadata.Builder resultBuilder;
|
private final OpenPgpMetadata.Builder resultBuilder;
|
||||||
private boolean isClosed = false;
|
private boolean isClosed = false;
|
||||||
private List<IntegrityProtectedInputStream> integrityProtectedInputStreamList;
|
private List<IntegrityProtectedInputStream> integrityProtectedInputStreamList;
|
||||||
private final InputStream armorStream;
|
private final InputStream armorStream;
|
||||||
|
|
||||||
DecryptionStream(@Nonnull InputStream wrapped, @Nonnull OpenPgpMetadata.Builder resultBuilder,
|
DecryptionStream(@Nonnull InputStream wrapped, @Nonnull ConsumerOptions options,
|
||||||
|
@Nonnull OpenPgpMetadata.Builder resultBuilder,
|
||||||
List<IntegrityProtectedInputStream> integrityProtectedInputStreamList,
|
List<IntegrityProtectedInputStream> integrityProtectedInputStreamList,
|
||||||
InputStream armorStream) {
|
InputStream armorStream) {
|
||||||
this.inputStream = wrapped;
|
this.inputStream = wrapped;
|
||||||
|
this.options = options;
|
||||||
this.resultBuilder = resultBuilder;
|
this.resultBuilder = resultBuilder;
|
||||||
this.integrityProtectedInputStreamList = integrityProtectedInputStreamList;
|
this.integrityProtectedInputStreamList = integrityProtectedInputStreamList;
|
||||||
this.armorStream = armorStream;
|
this.armorStream = armorStream;
|
||||||
|
@ -99,6 +104,7 @@ public class DecryptionStream extends InputStream {
|
||||||
private void maybeVerifyDetachedSignatures() {
|
private void maybeVerifyDetachedSignatures() {
|
||||||
for (DetachedSignature s : resultBuilder.getDetachedSignatures()) {
|
for (DetachedSignature s : resultBuilder.getDetachedSignatures()) {
|
||||||
try {
|
try {
|
||||||
|
verifySignatureCreationTimeIsInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(s.getSignature());
|
||||||
boolean verified = SignatureChainValidator.validateSignature(s.getSignature(), (PGPPublicKeyRing) s.getSigningKeyRing(), PGPainless.getPolicy());
|
boolean verified = SignatureChainValidator.validateSignature(s.getSignature(), (PGPPublicKeyRing) s.getSigningKeyRing(), PGPainless.getPolicy());
|
||||||
s.setVerified(verified);
|
s.setVerified(verified);
|
||||||
} catch (SignatureValidationException e) {
|
} catch (SignatureValidationException e) {
|
||||||
|
|
|
@ -143,7 +143,7 @@ public final class DecryptionStreamFactory {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return new DecryptionStream(inputStream, factory.resultBuilder, factory.integrityProtectedStreams,
|
return new DecryptionStream(inputStream, options, factory.resultBuilder, factory.integrityProtectedStreams,
|
||||||
(decoderStream instanceof ArmoredInputStream) ? decoderStream : null);
|
(decoderStream instanceof ArmoredInputStream) ? decoderStream : null);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -15,8 +15,6 @@
|
||||||
*/
|
*/
|
||||||
package org.pgpainless.decryption_verification;
|
package org.pgpainless.decryption_verification;
|
||||||
|
|
||||||
import static org.pgpainless.signature.SignatureValidator.signatureIsEffective;
|
|
||||||
import static org.pgpainless.signature.SignatureValidator.signatureStructureIsAcceptable;
|
|
||||||
import static org.pgpainless.signature.SignatureValidator.verifySignatureCreationTimeIsInBounds;
|
import static org.pgpainless.signature.SignatureValidator.verifySignatureCreationTimeIsInBounds;
|
||||||
|
|
||||||
import java.io.FilterInputStream;
|
import java.io.FilterInputStream;
|
||||||
|
@ -30,7 +28,6 @@ import javax.annotation.Nonnull;
|
||||||
|
|
||||||
import org.bouncycastle.openpgp.PGPException;
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
import org.bouncycastle.openpgp.PGPObjectFactory;
|
import org.bouncycastle.openpgp.PGPObjectFactory;
|
||||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
|
||||||
import org.bouncycastle.openpgp.PGPSignature;
|
import org.bouncycastle.openpgp.PGPSignature;
|
||||||
import org.bouncycastle.openpgp.PGPSignatureList;
|
import org.bouncycastle.openpgp.PGPSignatureList;
|
||||||
import org.pgpainless.PGPainless;
|
import org.pgpainless.PGPainless;
|
||||||
|
@ -38,7 +35,6 @@ import org.pgpainless.key.OpenPgpV4Fingerprint;
|
||||||
import org.pgpainless.policy.Policy;
|
import org.pgpainless.policy.Policy;
|
||||||
import org.pgpainless.signature.OnePassSignature;
|
import org.pgpainless.signature.OnePassSignature;
|
||||||
import org.pgpainless.signature.SignatureChainValidator;
|
import org.pgpainless.signature.SignatureChainValidator;
|
||||||
import org.pgpainless.exception.SignatureValidationException;
|
|
||||||
|
|
||||||
public class SignatureVerifyingInputStream extends FilterInputStream {
|
public class SignatureVerifyingInputStream extends FilterInputStream {
|
||||||
|
|
||||||
|
@ -97,8 +93,8 @@ public class SignatureVerifyingInputStream extends FilterInputStream {
|
||||||
private void validateOnePassSignatures() throws IOException {
|
private void validateOnePassSignatures() throws IOException {
|
||||||
PGPSignatureList signatureList = findPgpSignatureList();
|
PGPSignatureList signatureList = findPgpSignatureList();
|
||||||
|
|
||||||
try {
|
for (PGPSignature signature : signatureList) {
|
||||||
for (PGPSignature signature : signatureList) {
|
try {
|
||||||
OpenPgpV4Fingerprint fingerprint = findFingerprintForSignature(signature);
|
OpenPgpV4Fingerprint fingerprint = findFingerprintForSignature(signature);
|
||||||
OnePassSignature onePassSignature = findOnePassSignature(fingerprint);
|
OnePassSignature onePassSignature = findOnePassSignature(fingerprint);
|
||||||
if (onePassSignature == null) {
|
if (onePassSignature == null) {
|
||||||
|
@ -107,31 +103,18 @@ public class SignatureVerifyingInputStream extends FilterInputStream {
|
||||||
}
|
}
|
||||||
|
|
||||||
verifySignatureOrThrowSignatureException(signature, onePassSignature);
|
verifySignatureOrThrowSignatureException(signature, onePassSignature);
|
||||||
|
} catch (PGPException | SignatureException e) {
|
||||||
|
LOGGER.log(LEVEL, "One-pass-signature verification failed for signature made by key " +
|
||||||
|
Long.toHexString(signature.getKeyID()) + ": " + e.getMessage(), e);
|
||||||
}
|
}
|
||||||
} catch (PGPException | SignatureException e) {
|
|
||||||
throw new IOException(e.getMessage(), e);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void verifySignatureOrThrowSignatureException(PGPSignature signature, OnePassSignature onePassSignature)
|
private void verifySignatureOrThrowSignatureException(PGPSignature signature, OnePassSignature onePassSignature)
|
||||||
throws PGPException, SignatureException {
|
throws PGPException, SignatureException {
|
||||||
Policy policy = PGPainless.getPolicy();
|
Policy policy = PGPainless.getPolicy();
|
||||||
try {
|
verifySignatureCreationTimeIsInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(signature);
|
||||||
PGPPublicKey signingKey = onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID());
|
SignatureChainValidator.validateOnePassSignature(signature, onePassSignature, policy);
|
||||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
verifySignatureCreationTimeIsInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(signature);
|
|
||||||
signatureIsEffective().verify(signature);
|
|
||||||
|
|
||||||
SignatureChainValidator.validateSigningKey(signature, onePassSignature.getVerificationKeys(), PGPainless.getPolicy());
|
|
||||||
|
|
||||||
} catch (SignatureValidationException e) {
|
|
||||||
throw new SignatureException("Signature key is not valid.", e);
|
|
||||||
}
|
|
||||||
if (!onePassSignature.verify(signature)) {
|
|
||||||
throw new SignatureException("Bad Signature of key " + signature.getKeyID());
|
|
||||||
} else {
|
|
||||||
LOGGER.log(LEVEL, "Verified signature of key {}", Long.toHexString(signature.getKeyID()));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private OnePassSignature findOnePassSignature(OpenPgpV4Fingerprint fingerprint) {
|
private OnePassSignature findOnePassSignature(OpenPgpV4Fingerprint fingerprint) {
|
||||||
|
|
|
@ -15,7 +15,12 @@
|
||||||
*/
|
*/
|
||||||
package org.pgpainless.signature;
|
package org.pgpainless.signature;
|
||||||
|
|
||||||
|
import static org.pgpainless.signature.SignatureValidator.signatureIsEffective;
|
||||||
|
import static org.pgpainless.signature.SignatureValidator.signatureStructureIsAcceptable;
|
||||||
|
import static org.pgpainless.signature.SignatureValidator.verifyWasPossiblyMadeByKey;
|
||||||
|
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
|
import java.security.SignatureException;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
|
@ -28,6 +33,7 @@ import java.util.logging.Logger;
|
||||||
|
|
||||||
import org.bouncycastle.bcpg.sig.KeyFlags;
|
import org.bouncycastle.bcpg.sig.KeyFlags;
|
||||||
import org.bouncycastle.bcpg.sig.SignerUserID;
|
import org.bouncycastle.bcpg.sig.SignerUserID;
|
||||||
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||||
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
||||||
import org.bouncycastle.openpgp.PGPSignature;
|
import org.bouncycastle.openpgp.PGPSignature;
|
||||||
|
@ -263,4 +269,26 @@ public final class SignatureChainValidator {
|
||||||
SignatureValidator.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
|
SignatureValidator.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static boolean validateOnePassSignature(PGPSignature signature, OnePassSignature onePassSignature, Policy policy) throws PGPException, SignatureException {
|
||||||
|
PGPPublicKey signingKey = onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID());
|
||||||
|
try {
|
||||||
|
verifyWasPossiblyMadeByKey(signingKey, signature);
|
||||||
|
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||||
|
signatureIsEffective().verify(signature);
|
||||||
|
} catch (SignatureValidationException e) {
|
||||||
|
throw new SignatureException("Signature is not valid: " + e.getMessage(), e);
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
validateSigningKey(signature, onePassSignature.getVerificationKeys(), policy);
|
||||||
|
} catch (SignatureValidationException e) {
|
||||||
|
throw new SignatureException("Signing key " + Long.toHexString(signingKey.getKeyID()) + " is not valid: " + e.getMessage(), e);
|
||||||
|
}
|
||||||
|
if (!onePassSignature.verify(signature)) {
|
||||||
|
throw new SignatureException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,204 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 Paul Schaub.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.pgpainless.decryption_verification;
|
||||||
|
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||||
|
|
||||||
|
import java.io.ByteArrayInputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.nio.charset.StandardCharsets;
|
||||||
|
import java.util.Date;
|
||||||
|
|
||||||
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
|
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
||||||
|
import org.bouncycastle.util.io.Streams;
|
||||||
|
import org.junit.jupiter.api.BeforeAll;
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
import org.pgpainless.PGPainless;
|
||||||
|
import org.pgpainless.key.SubkeyIdentifier;
|
||||||
|
import org.pgpainless.key.TestKeys;
|
||||||
|
import org.pgpainless.util.DateUtil;
|
||||||
|
|
||||||
|
public class VerifyNotBeforeNotAfterTest {
|
||||||
|
|
||||||
|
private static final byte[] data = "Hello, World!\n".getBytes(StandardCharsets.UTF_8);
|
||||||
|
|
||||||
|
private static final byte[] inlineSigned = ("" +
|
||||||
|
"-----BEGIN PGP MESSAGE-----\n" +
|
||||||
|
"Version: PGPainless\n" +
|
||||||
|
"\n" +
|
||||||
|
"kA0DAAoTVzbmkxrPNwwAyxRiAAAAAABIZWxsbywgV29ybGQhCoh1BAATCgAGBQJh\n" +
|
||||||
|
"G7iQACEJEFc25pMazzcMFiEET2ZcTcLEZgvGQl5BVzbmkxrPNwxH7AEAsEyOCQPG\n" +
|
||||||
|
"3F2JSWK/8AYyvsk17Gtb9TGn5SWqLo5Ac8YBAIlijYnSIHm0aatlMsK6t/rAB3bU\n" +
|
||||||
|
"eHyT9/mVlk9qrOWs\n" +
|
||||||
|
"=vkxO\n" +
|
||||||
|
"-----END PGP MESSAGE-----").getBytes(StandardCharsets.UTF_8);
|
||||||
|
|
||||||
|
private static final byte[] detachedSignature = ("" +
|
||||||
|
"-----BEGIN PGP SIGNATURE-----\n" +
|
||||||
|
"Version: PGPainless\n" +
|
||||||
|
"\n" +
|
||||||
|
"iHUEABMKAAYFAmEbuJAAIQkQVzbmkxrPNwwWIQRPZlxNwsRmC8ZCXkFXNuaTGs83\n" +
|
||||||
|
"DEfsAQDNXmvhkh92aoUp9KNCpCqA6nvHmT5O0n1Lr0BmBccHtgD8CVR3VElemas+\n" +
|
||||||
|
"aH5l06cDUW1peQQs+xZ0FHltWmk5PJw=\n" +
|
||||||
|
"=RJDi\n" +
|
||||||
|
"-----END PGP SIGNATURE-----").getBytes(StandardCharsets.UTF_8);
|
||||||
|
|
||||||
|
private static final Date signatureCreationDate = DateUtil.parseUTCDate("2021-08-17 13:24:32 UTC");
|
||||||
|
private static final Date T0 = DateUtil.parseUTCDate("2021-08-17 12:30:00 UTC");
|
||||||
|
private static final Date T1 = signatureCreationDate;
|
||||||
|
private static final Date T2 = DateUtil.parseUTCDate("2021-08-17 13:30:00 UTC");
|
||||||
|
private static PGPPublicKeyRing certificate;
|
||||||
|
private static SubkeyIdentifier signingKey;
|
||||||
|
|
||||||
|
@BeforeAll
|
||||||
|
public static void setup() throws IOException {
|
||||||
|
certificate = TestKeys.getEmilPublicKeyRing();
|
||||||
|
signingKey = new SubkeyIdentifier(certificate);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void noConstraintsVerifyInlineSig() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.addVerificationCert(certificate);
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(inlineSigned))
|
||||||
|
.withOptions(options);
|
||||||
|
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertTrue(metadata.getVerifiedSignatures().containsKey(new SubkeyIdentifier(certificate)));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void noConstraintsVerifyDetachedSig() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.addVerificationCert(certificate)
|
||||||
|
.addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature));
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(data))
|
||||||
|
.withOptions(options);
|
||||||
|
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertTrue(metadata.getVerifiedSignatures().containsKey(new SubkeyIdentifier(certificate)));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void notBeforeT1DoesNotRejectInlineSigMadeAtT1() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.verifyNotBefore(T1)
|
||||||
|
.addVerificationCert(certificate);
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(inlineSigned))
|
||||||
|
.withOptions(options);
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertTrue(metadata.getVerifiedSignatures().containsKey(signingKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void notBeforeT1DoesNotRejectDetachedSigMadeAtT1() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.verifyNotBefore(T1)
|
||||||
|
.addVerificationCert(certificate)
|
||||||
|
.addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature));
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(data))
|
||||||
|
.withOptions(options);
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertTrue(metadata.getVerifiedSignatures().containsKey(signingKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void verifyNotBeforeT2DoesRejectInlineSignatureMadeAtT1() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.verifyNotBefore(T2)
|
||||||
|
.addVerificationCert(certificate);
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(inlineSigned))
|
||||||
|
.withOptions(options);
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertFalse(metadata.getVerifiedSignatures().containsKey(signingKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void verifyNotBeforeT2DoesRejectDetachedSigMadeAtT1() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.verifyNotBefore(T2)
|
||||||
|
.addVerificationCert(certificate)
|
||||||
|
.addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature));
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(data))
|
||||||
|
.withOptions(options);
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertFalse(metadata.getVerifiedSignatures().containsKey(signingKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void verifyNotAfterT1DoesNotRejectInlineSigMadeAtT1() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.verifyNotAfter(T1)
|
||||||
|
.addVerificationCert(certificate);
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(inlineSigned))
|
||||||
|
.withOptions(options);
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertTrue(metadata.getVerifiedSignatures().containsKey(signingKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void verifyNotAfterT1DoesRejectDetachedSigMadeAtT1() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.verifyNotAfter(T1)
|
||||||
|
.addVerificationCert(certificate)
|
||||||
|
.addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature));
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(data))
|
||||||
|
.withOptions(options);
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertTrue(metadata.getVerifiedSignatures().containsKey(signingKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void verifyNotAfterT0DoesRejectInlineSigMadeAtT1() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.verifyNotAfter(T0)
|
||||||
|
.addVerificationCert(certificate);
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(inlineSigned))
|
||||||
|
.withOptions(options);
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertFalse(metadata.getVerifiedSignatures().containsKey(signingKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void verifyNotAfterT0DoesRejectDetachedSigMadeAtT1() throws PGPException, IOException {
|
||||||
|
ConsumerOptions options = new ConsumerOptions()
|
||||||
|
.verifyNotAfter(T0)
|
||||||
|
.addVerificationCert(certificate)
|
||||||
|
.addVerificationOfDetachedSignatures(new ByteArrayInputStream(detachedSignature));
|
||||||
|
DecryptionStream verifier = PGPainless.decryptAndOrVerify()
|
||||||
|
.onInputStream(new ByteArrayInputStream(data))
|
||||||
|
.withOptions(options);
|
||||||
|
OpenPgpMetadata metadata = processSignedData(verifier);
|
||||||
|
assertFalse(metadata.getVerifiedSignatures().containsKey(signingKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
private OpenPgpMetadata processSignedData(DecryptionStream verifier) throws IOException {
|
||||||
|
Streams.drain(verifier);
|
||||||
|
verifier.close();
|
||||||
|
return verifier.getResult();
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue