PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-05 20:15:59 +01:00
Code Issues Releases Wiki Activity

Reuse *SignatureCheck class

Browse source
This commit is contained in:
Paul Schaub 2022-10-20 14:05:21 +02:00
parent 0a7c76a2dd
commit 5c61559647
4 changed files with 170 additions and 255 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
View file

@ -60,7 +60,7 @@ import org.pgpainless.key.info.KeyRingInfo;
import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.protection.UnlockSecretKey;
import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.SignatureUtils;
import org.pgpainless.signature.consumer.DetachedSignatureCheck; import org.pgpainless.signature.consumer.SignatureCheck;
import org.pgpainless.signature.consumer.OnePassSignatureCheck; import org.pgpainless.signature.consumer.OnePassSignatureCheck;
import org.pgpainless.util.ArmoredInputStreamFactory; import org.pgpainless.util.ArmoredInputStreamFactory;
import org.pgpainless.util.Passphrase; import org.pgpainless.util.Passphrase;
@ -79,7 +79,7 @@ public final class DecryptionStreamFactory {
private final ConsumerOptions options; private final ConsumerOptions options;
private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder(); private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
private final List<OnePassSignatureCheck> onePassSignatureChecks = new ArrayList<>(); private final List<OnePassSignatureCheck> onePassSignatureChecks = new ArrayList<>();
private final List<DetachedSignatureCheck> detachedSignatureChecks = new ArrayList<>(); private final List<SignatureCheck> signatureChecks = new ArrayList<>();
private final Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert = new HashMap<>(); private final Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert = new HashMap<>();
private static final PGPContentVerifierBuilderProvider verifierBuilderProvider = private static final PGPContentVerifierBuilderProvider verifierBuilderProvider =
@ -134,9 +134,9 @@ public final class DecryptionStreamFactory {
SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID()); SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID());
try { try {
signature.init(verifierBuilderProvider, signingKey); signature.init(verifierBuilderProvider, signingKey);
DetachedSignatureCheck detachedSignature = SignatureCheck detachedSignature =
new DetachedSignatureCheck(signature, signingKeyRing, signingKeyIdentifier); new SignatureCheck(signature, signingKeyRing, signingKeyIdentifier);
detachedSignatureChecks.add(detachedSignature); signatureChecks.add(detachedSignature);
} catch (PGPException e) { } catch (PGPException e) {
SignatureValidationException ex = new SignatureValidationException( SignatureValidationException ex = new SignatureValidationException(
"Cannot verify detached signature made by " + signingKeyIdentifier + ".", e); "Cannot verify detached signature made by " + signingKeyIdentifier + ".", e);
@ -212,7 +212,7 @@ public final class DecryptionStreamFactory {
private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, @Nullable PGPObjectFactory objectFactory) { private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, @Nullable PGPObjectFactory objectFactory) {
return new SignatureInputStream.VerifySignatures( return new SignatureInputStream.VerifySignatures(
bufferedIn, objectFactory, onePassSignatureChecks, bufferedIn, objectFactory, onePassSignatureChecks,
onePassSignaturesWithMissingCert, detachedSignatureChecks, options, onePassSignaturesWithMissingCert, signatureChecks, options,
resultBuilder); resultBuilder);
} }
@ -348,7 +348,7 @@ public final class DecryptionStreamFactory {
} }
return new SignatureInputStream.VerifySignatures(literalDataInputStream, objectFactory, return new SignatureInputStream.VerifySignatures(literalDataInputStream, objectFactory,
onePassSignatureChecks, onePassSignaturesWithMissingCert, detachedSignatureChecks, options, resultBuilder) { onePassSignatureChecks, onePassSignaturesWithMissingCert, signatureChecks, options, resultBuilder) {
}; };
} }

367
pgpainless-core/src/main/java/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.java
View file

@ -5,7 +5,6 @@
package org.pgpainless.decryption_verification; package org.pgpainless.decryption_verification;
import java.io.BufferedInputStream; import java.io.BufferedInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
@ -31,6 +30,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider; import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory; import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
@ -44,6 +44,8 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
import org.pgpainless.decryption_verification.automaton.InputAlphabet; import org.pgpainless.decryption_verification.automaton.InputAlphabet;
import org.pgpainless.decryption_verification.automaton.PDA; import org.pgpainless.decryption_verification.automaton.PDA;
import org.pgpainless.decryption_verification.automaton.StackAlphabet; import org.pgpainless.decryption_verification.automaton.StackAlphabet;
import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
import org.pgpainless.exception.MalformedOpenPgpMessageException; import org.pgpainless.exception.MalformedOpenPgpMessageException;
import org.pgpainless.exception.MessageNotIntegrityProtectedException; import org.pgpainless.exception.MessageNotIntegrityProtectedException;
import org.pgpainless.exception.MissingDecryptionMethodException; import org.pgpainless.exception.MissingDecryptionMethodException;
@ -56,7 +58,9 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.key.protection.UnlockSecretKey; import org.pgpainless.key.protection.UnlockSecretKey;
import org.pgpainless.policy.Policy; import org.pgpainless.policy.Policy;
import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.SignatureUtils;
import org.pgpainless.signature.consumer.SignatureValidator; import org.pgpainless.signature.consumer.OnePassSignatureCheck;
import org.pgpainless.signature.consumer.SignatureCheck;
import org.pgpainless.signature.consumer.SignatureVerifier;
import org.pgpainless.util.ArmoredInputStreamFactory; import org.pgpainless.util.ArmoredInputStreamFactory;
import org.pgpainless.util.Passphrase; import org.pgpainless.util.Passphrase;
import org.pgpainless.util.SessionKey; import org.pgpainless.util.SessionKey;
@ -93,7 +97,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
@Nonnull ConsumerOptions options, @Nonnull ConsumerOptions options,
@Nonnull Policy policy) @Nonnull Policy policy)
throws PGPException, IOException { throws PGPException, IOException {
this(prepareInputStream(inputStream, options), options, new MessageMetadata.Message(), policy); this(
prepareInputStream(inputStream, options, policy),
options, new MessageMetadata.Message(), policy);
} }
protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream, protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
@ -120,7 +126,20 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
consumePackets(); consumePackets();
} }
private static InputStream prepareInputStream(InputStream inputStream, ConsumerOptions options) throws IOException { protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
@Nonnull Policy policy,
@Nonnull ConsumerOptions options) {
super(OpenPgpMetadata.getBuilder());
this.policy = policy;
this.options = options;
this.metadata = new MessageMetadata.Message();
this.signatures = new Signatures(options);
this.signatures.addDetachedSignatures(options.getDetachedSignatures());
this.packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), signatures);
}
private static InputStream prepareInputStream(InputStream inputStream, ConsumerOptions options, Policy policy)
throws IOException, PGPException {
OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream); OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
openPgpIn.reset(); openPgpIn.reset();
@ -131,7 +150,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
if (openPgpIn.isAsciiArmored()) { if (openPgpIn.isAsciiArmored()) {
ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn); ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
if (armorIn.isClearText()) { if (armorIn.isClearText()) {
return armorIn; return parseCleartextSignedMessage(armorIn, options, policy);
} else { } else {
return armorIn; return armorIn;
} }
@ -140,6 +159,19 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
} }
} }
private static DecryptionStream parseCleartextSignedMessage(ArmoredInputStream armorIn, ConsumerOptions options, Policy policy)
throws IOException, PGPException {
MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(armorIn, multiPassStrategy.getMessageOutputStream());
for (PGPSignature signature : signatures) {
options.addVerificationOfDetachedSignature(signature);
}
options.forceNonOpenPgpData();
return new OpenPgpMessageInputStream(multiPassStrategy.getMessageInputStream(), policy, options);
}
/** /**
* Consume OpenPGP packets from the current {@link BCPGInputStream}. * Consume OpenPGP packets from the current {@link BCPGInputStream}.
* Once an OpenPGP packet with nested data (Literal Data, Compressed Data, Encrypted Data) is reached, * Once an OpenPGP packet with nested data (Literal Data, Compressed Data, Encrypted Data) is reached,
@ -575,17 +607,58 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
} }
} }
@Override
public OpenPgpMetadata getResult() {
MessageMetadata m = getMetadata();
resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
resultBuilder.setModificationDate(m.getModificationDate());
resultBuilder.setFileName(m.getFilename());
resultBuilder.setFileEncoding(m.getFormat());
resultBuilder.setSessionKey(m.getSessionKey());
resultBuilder.setDecryptionKey(m.getDecryptionKey());
for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
resultBuilder.addVerifiedDetachedSignature(accepted);
}
for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
}
for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
resultBuilder.addVerifiedInbandSignature(accepted);
}
for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
}
return resultBuilder.build();
}
static void log(String message) {
LOGGER.debug(message);
// CHECKSTYLE:OFF
System.out.println(message);
// CHECKSTYLE:ON
}
static void log(String message, Throwable e) {
log(message);
// CHECKSTYLE:OFF
e.printStackTrace();
// CHECKSTYLE:ON
}
// In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo" // In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
// In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG. // In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
// Therefore, we need to handle the innermost signature layer differently when updating with Literal data. // Therefore, we need to handle the innermost signature layer differently when updating with Literal data.
// Furthermore, For 'OPS COMP(LIT("Foo")) SIG', the signature is updated with "Foo". CHAOS!!! // Furthermore, For 'OPS COMP(LIT("Foo")) SIG', the signature is updated with "Foo". CHAOS!!!
private static final class Signatures extends OutputStream { private static final class Signatures extends OutputStream {
final ConsumerOptions options; final ConsumerOptions options;
final List<DetachedOrPrependedSignature> detachedSignatures; final List<SignatureCheck> detachedSignatures;
final List<DetachedOrPrependedSignature> prependedSignatures; final List<SignatureCheck> prependedSignatures;
final List<OnePassSignature> onePassSignatures; final List<OnePassSignatureCheck> onePassSignatures;
final Stack<List<OnePassSignature>> opsUpdateStack; final Stack<List<OnePassSignatureCheck>> opsUpdateStack;
List<OnePassSignature> literalOPS = new ArrayList<>(); List<OnePassSignatureCheck> literalOPS = new ArrayList<>();
final List<PGPSignature> correspondingSignatures; final List<PGPSignature> correspondingSignatures;
boolean isLiteral = true; boolean isLiteral = true;
@ -605,31 +678,37 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
} }
void addDetachedSignature(PGPSignature signature) { void addDetachedSignature(PGPSignature signature) {
long keyId = SignatureUtils.determineIssuerKeyId(signature); SignatureCheck check = initializeSignature(signature);
PGPPublicKeyRing certificate = findCertificate(keyId); if (check != null) {
detachedSignatures.add(check);
if (certificate != null) {
initialize(signature, certificate, keyId);
this.detachedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
} }
} }
void addPrependedSignature(PGPSignature signature) { void addPrependedSignature(PGPSignature signature) {
SignatureCheck check = initializeSignature(signature);
if (check != null) {
this.prependedSignatures.add(check);
}
}
SignatureCheck initializeSignature(PGPSignature signature) {
long keyId = SignatureUtils.determineIssuerKeyId(signature); long keyId = SignatureUtils.determineIssuerKeyId(signature);
PGPPublicKeyRing certificate = findCertificate(keyId); PGPPublicKeyRing certificate = findCertificate(keyId);
if (certificate == null) {
if (certificate != null) { return null;
initialize(signature, certificate, keyId);
this.prependedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
} }
SubkeyIdentifier verifierKey = new SubkeyIdentifier(certificate, keyId);
initialize(signature, certificate, keyId);
return new SignatureCheck(signature, certificate, verifierKey);
} }
void addOnePassSignature(PGPOnePassSignature signature) { void addOnePassSignature(PGPOnePassSignature signature) {
PGPPublicKeyRing certificate = findCertificate(signature.getKeyID()); PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
if (certificate != null) { if (certificate != null) {
OnePassSignature ops = new OnePassSignature(signature, certificate, signature.getKeyID()); OnePassSignatureCheck ops = new OnePassSignatureCheck(signature, certificate);
ops.init(certificate); initialize(signature, certificate);
onePassSignatures.add(ops); onePassSignatures.add(ops);
literalOPS.add(ops); literalOPS.add(ops);
@ -641,40 +720,29 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer, Policy policy) { void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer, Policy policy) {
for (int i = onePassSignatures.size() - 1; i >= 0; i--) { for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
OnePassSignature onePassSignature = onePassSignatures.get(i); OnePassSignatureCheck onePassSignature = onePassSignatures.get(i);
if (onePassSignature.opSignature.getKeyID() != signature.getKeyID()) { if (onePassSignature.getOnePassSignature().getKeyID() != signature.getKeyID()) {
continue;
}
if (onePassSignature.finished) {
continue; continue;
} }
boolean correct = onePassSignature.verify(signature); if (onePassSignature.getSignature() != null) {
continue;
}
onePassSignature.setSignature(signature);
SignatureVerification verification = new SignatureVerification(signature, SignatureVerification verification = new SignatureVerification(signature,
new SubkeyIdentifier(onePassSignature.certificate, onePassSignature.keyId)); new SubkeyIdentifier(onePassSignature.getVerificationKeys(), onePassSignature.getOnePassSignature().getKeyID()));
if (correct) {
PGPPublicKey signingKey = onePassSignature.certificate.getPublicKey(onePassSignature.keyId);
try { try {
checkSignatureValidity(signature, signingKey, policy); SignatureVerifier.verifyOnePassSignature(signature, onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID()), onePassSignature, policy);
layer.addVerifiedOnePassSignature(verification); layer.addVerifiedOnePassSignature(verification);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification, e)); layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification, e));
} }
} else {
layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification,
new SignatureValidationException("Bad Signature.")));
}
break; break;
} }
} }
boolean checkSignatureValidity(PGPSignature signature, PGPPublicKey signingKey, Policy policy) throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective().verify(signature);
return true;
}
void enterNesting() { void enterNesting() {
opsUpdateStack.push(literalOPS); opsUpdateStack.push(literalOPS);
literalOPS = new ArrayList<>(); literalOPS = new ArrayList<>();
@ -718,86 +786,76 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
} }
public void updateLiteral(byte b) { public void updateLiteral(byte b) {
for (OnePassSignature ops : literalOPS) { for (OnePassSignatureCheck ops : literalOPS) {
ops.update(b); ops.getOnePassSignature().update(b);
} }
for (DetachedOrPrependedSignature detached : detachedSignatures) { for (SignatureCheck detached : detachedSignatures) {
detached.update(b); detached.getSignature().update(b);
} }
for (DetachedOrPrependedSignature prepended : prependedSignatures) { for (SignatureCheck prepended : prependedSignatures) {
prepended.update(b); prepended.getSignature().update(b);
} }
} }
public void updateLiteral(byte[] b, int off, int len) { public void updateLiteral(byte[] b, int off, int len) {
for (OnePassSignature ops : literalOPS) { for (OnePassSignatureCheck ops : literalOPS) {
ops.update(b, off, len); ops.getOnePassSignature().update(b, off, len);
} }
for (DetachedOrPrependedSignature detached : detachedSignatures) { for (SignatureCheck detached : detachedSignatures) {
detached.update(b, off, len); detached.getSignature().update(b, off, len);
} }
for (DetachedOrPrependedSignature prepended : prependedSignatures) { for (SignatureCheck prepended : prependedSignatures) {
prepended.update(b, off, len); prepended.getSignature().update(b, off, len);
} }
} }
public void updatePacket(byte b) { public void updatePacket(byte b) {
for (int i = opsUpdateStack.size() - 1; i >= 0; i--) { for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
List<OnePassSignature> nestedOPSs = opsUpdateStack.get(i); List<OnePassSignatureCheck> nestedOPSs = opsUpdateStack.get(i);
for (OnePassSignature ops : nestedOPSs) { for (OnePassSignatureCheck ops : nestedOPSs) {
ops.update(b); ops.getOnePassSignature().update(b);
} }
} }
} }
public void updatePacket(byte[] buf, int off, int len) { public void updatePacket(byte[] buf, int off, int len) {
for (int i = opsUpdateStack.size() - 1; i >= 0; i--) { for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
List<OnePassSignature> nestedOPSs = opsUpdateStack.get(i); List<OnePassSignatureCheck> nestedOPSs = opsUpdateStack.get(i);
for (OnePassSignature ops : nestedOPSs) { for (OnePassSignatureCheck ops : nestedOPSs) {
ops.update(buf, off, len); ops.getOnePassSignature().update(buf, off, len);
} }
} }
} }
public void finish(MessageMetadata.Layer layer, Policy policy) { public void finish(MessageMetadata.Layer layer, Policy policy) {
for (DetachedOrPrependedSignature detached : detachedSignatures) { for (SignatureCheck detached : detachedSignatures) {
boolean correct = detached.verify(); SignatureVerification verification = new SignatureVerification(detached.getSignature(), detached.getSigningKeyIdentifier());
SignatureVerification verification = new SignatureVerification(
detached.signature, new SubkeyIdentifier(detached.certificate, detached.keyId));
if (correct) {
try { try {
PGPPublicKey signingKey = detached.certificate.getPublicKey(detached.keyId); SignatureVerifier.verifyInitializedSignature(
checkSignatureValidity(detached.signature, signingKey, policy); detached.getSignature(),
detached.getSigningKeyRing().getPublicKey(detached.getSigningKeyIdentifier().getKeyId()),
policy, detached.getSignature().getCreationTime());
layer.addVerifiedDetachedSignature(verification); layer.addVerifiedDetachedSignature(verification);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
layer.addRejectedDetachedSignature(new SignatureVerification.Failure(verification, e)); layer.addRejectedDetachedSignature(new SignatureVerification.Failure(verification, e));
} }
} else {
layer.addRejectedDetachedSignature(new SignatureVerification.Failure(
verification, new SignatureValidationException("Incorrect Signature.")));
}
} }
for (DetachedOrPrependedSignature prepended : prependedSignatures) { for (SignatureCheck prepended : prependedSignatures) {
boolean correct = prepended.verify(); SignatureVerification verification = new SignatureVerification(prepended.getSignature(), prepended.getSigningKeyIdentifier());
SignatureVerification verification = new SignatureVerification(
prepended.signature, new SubkeyIdentifier(prepended.certificate, prepended.keyId));
if (correct) {
try { try {
PGPPublicKey signingKey = prepended.certificate.getPublicKey(prepended.keyId); SignatureVerifier.verifyInitializedSignature(
checkSignatureValidity(prepended.signature, signingKey, policy); prepended.getSignature(),
prepended.getSigningKeyRing().getPublicKey(prepended.getSigningKeyIdentifier().getKeyId()),
policy, prepended.getSignature().getCreationTime());
layer.addVerifiedPrependedSignature(verification); layer.addVerifiedPrependedSignature(verification);
} catch (SignatureValidationException e) { } catch (SignatureValidationException e) {
layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e)); layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e));
} }
} else {
layer.addRejectedPrependedSignature(new SignatureVerification.Failure(
verification, new SignatureValidationException("Incorrect Signature.")));
}
} }
} }
@ -822,148 +880,5 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
} }
} }
static class DetachedOrPrependedSignature {
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
PGPSignature signature;
PGPPublicKeyRing certificate;
long keyId;
boolean finished;
boolean valid;
DetachedOrPrependedSignature(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
this.signature = signature;
this.certificate = certificate;
this.keyId = keyId;
}
public void init(PGPPublicKeyRing certificate) {
initialize(signature, certificate, signature.getKeyID());
}
public boolean verify() {
if (finished) {
throw new IllegalStateException("Already finished.");
}
finished = true;
try {
valid = this.signature.verify();
} catch (PGPException e) {
log("Cannot verify SIG " + signature.getKeyID());
}
return valid;
}
public void update(byte b) {
if (finished) {
throw new IllegalStateException("Already finished.");
}
signature.update(b);
bytes.write(b);
}
public void update(byte[] bytes, int off, int len) {
if (finished) {
throw new IllegalStateException("Already finished.");
}
signature.update(bytes, off, len);
this.bytes.write(bytes, off, len);
}
}
static class OnePassSignature {
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
PGPOnePassSignature opSignature;
PGPSignature signature;
PGPPublicKeyRing certificate;
long keyId;
boolean finished;
boolean valid;
OnePassSignature(PGPOnePassSignature signature, PGPPublicKeyRing certificate, long keyId) {
this.opSignature = signature;
this.certificate = certificate;
this.keyId = keyId;
}
public void init(PGPPublicKeyRing certificate) {
initialize(opSignature, certificate);
}
public boolean verify(PGPSignature signature) {
if (finished) {
throw new IllegalStateException("Already finished.");
}
if (this.opSignature.getKeyID() != signature.getKeyID()) {
// nope
return false;
}
this.signature = signature;
finished = true;
try {
valid = this.opSignature.verify(signature);
} catch (PGPException e) {
log("Cannot verify OPS " + signature.getKeyID());
}
return valid;
}
public void update(byte b) {
if (finished) {
throw new IllegalStateException("Already finished.");
}
opSignature.update(b);
bytes.write(b);
}
public void update(byte[] bytes, int off, int len) {
if (finished) {
throw new IllegalStateException("Already finished.");
}
opSignature.update(bytes, off, len);
this.bytes.write(bytes, off, len);
}
}
}
@Override
public OpenPgpMetadata getResult() {
MessageMetadata m = getMetadata();
resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
resultBuilder.setModificationDate(m.getModificationDate());
resultBuilder.setFileName(m.getFilename());
resultBuilder.setFileEncoding(m.getFormat());
resultBuilder.setSessionKey(m.getSessionKey());
resultBuilder.setDecryptionKey(m.getDecryptionKey());
for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
resultBuilder.addVerifiedDetachedSignature(accepted);
}
for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
}
for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
resultBuilder.addVerifiedInbandSignature(accepted);
}
for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
}
return resultBuilder.build();
}
static void log(String message) {
LOGGER.debug(message);
// CHECKSTYLE:OFF
System.out.println(message);
// CHECKSTYLE:ON
}
static void log(String message, Throwable e) {
log(message);
// CHECKSTYLE:OFF
e.printStackTrace();
// CHECKSTYLE:ON
} }
} }

12
pgpainless-core/src/main/java/org/pgpainless/decryption_verification/SignatureInputStream.java
View file

@ -22,7 +22,7 @@ import org.pgpainless.PGPainless;
import org.pgpainless.exception.SignatureValidationException; import org.pgpainless.exception.SignatureValidationException;
import org.pgpainless.policy.Policy; import org.pgpainless.policy.Policy;
import org.pgpainless.signature.consumer.CertificateValidator; import org.pgpainless.signature.consumer.CertificateValidator;
import org.pgpainless.signature.consumer.DetachedSignatureCheck; import org.pgpainless.signature.consumer.SignatureCheck;
import org.pgpainless.signature.consumer.OnePassSignatureCheck; import org.pgpainless.signature.consumer.OnePassSignatureCheck;
import org.pgpainless.signature.SignatureUtils; import org.pgpainless.signature.SignatureUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
@ -41,7 +41,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
private final PGPObjectFactory objectFactory; private final PGPObjectFactory objectFactory;
private final List<OnePassSignatureCheck> opSignatures; private final List<OnePassSignatureCheck> opSignatures;
private final Map<Long, OnePassSignatureCheck> opSignaturesWithMissingCert; private final Map<Long, OnePassSignatureCheck> opSignaturesWithMissingCert;
private final List<DetachedSignatureCheck> detachedSignatures; private final List<SignatureCheck> detachedSignatures;
private final ConsumerOptions options; private final ConsumerOptions options;
private final OpenPgpMetadata.Builder resultBuilder; private final OpenPgpMetadata.Builder resultBuilder;
@ -50,7 +50,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
@Nullable PGPObjectFactory objectFactory, @Nullable PGPObjectFactory objectFactory,
List<OnePassSignatureCheck> opSignatures, List<OnePassSignatureCheck> opSignatures,
Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert, Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert,
List<DetachedSignatureCheck> detachedSignatures, List<SignatureCheck> detachedSignatures,
ConsumerOptions options, ConsumerOptions options,
OpenPgpMetadata.Builder resultBuilder) { OpenPgpMetadata.Builder resultBuilder) {
super(literalDataStream); super(literalDataStream);
@ -170,7 +170,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
private void verifyDetachedSignatures() { private void verifyDetachedSignatures() {
Policy policy = PGPainless.getPolicy(); Policy policy = PGPainless.getPolicy();
for (DetachedSignatureCheck s : detachedSignatures) { for (SignatureCheck s : detachedSignatures) {
try { try {
signatureWasCreatedInBounds(options.getVerifyNotBefore(), signatureWasCreatedInBounds(options.getVerifyNotBefore(),
options.getVerifyNotAfter()).verify(s.getSignature()); options.getVerifyNotAfter()).verify(s.getSignature());
@ -200,13 +200,13 @@ public abstract class SignatureInputStream extends FilterInputStream {
} }
private void updateDetachedSignatures(byte b) { private void updateDetachedSignatures(byte b) {
for (DetachedSignatureCheck detachedSignature : detachedSignatures) { for (SignatureCheck detachedSignature : detachedSignatures) {
detachedSignature.getSignature().update(b); detachedSignature.getSignature().update(b);
} }
} }
private void updateDetachedSignatures(byte[] b, int off, int read) { private void updateDetachedSignatures(byte[] b, int off, int read) {
for (DetachedSignatureCheck detachedSignature : detachedSignatures) { for (SignatureCheck detachedSignature : detachedSignatures) {
detachedSignature.getSignature().update(b, off, read); detachedSignature.getSignature().update(b, off, read);
} }
} }

6
pgpainless-core/src/main/java/org/pgpainless/signature/consumer/DetachedSignatureCheck.java → pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureCheck.java
View file

@ -13,19 +13,19 @@ import org.pgpainless.key.SubkeyIdentifier;
* Tuple-class which bundles together a signature, the signing key that created the signature, * Tuple-class which bundles together a signature, the signing key that created the signature,
* an identifier of the signing key and a record of whether the signature was verified. * an identifier of the signing key and a record of whether the signature was verified.
*/ */
public class DetachedSignatureCheck { public class SignatureCheck {
private final PGPSignature signature; private final PGPSignature signature;
private final PGPKeyRing signingKeyRing; private final PGPKeyRing signingKeyRing;
private final SubkeyIdentifier signingKeyIdentifier; private final SubkeyIdentifier signingKeyIdentifier;
/** /**
* Create a new {@link DetachedSignatureCheck} object. * Create a new {@link SignatureCheck} object.
* *
* @param signature signature * @param signature signature
* @param signingKeyRing signing key that created the signature * @param signingKeyRing signing key that created the signature
* @param signingKeyIdentifier identifier of the used signing key * @param signingKeyIdentifier identifier of the used signing key
*/ */
public DetachedSignatureCheck(PGPSignature signature, PGPKeyRing signingKeyRing, SubkeyIdentifier signingKeyIdentifier) { public SignatureCheck(PGPSignature signature, PGPKeyRing signingKeyRing, SubkeyIdentifier signingKeyIdentifier) {
this.signature = signature; this.signature = signature;
this.signingKeyRing = signingKeyRing; this.signingKeyRing = signingKeyRing;
this.signingKeyIdentifier = signingKeyIdentifier; this.signingKeyIdentifier = signingKeyIdentifier;