1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-29 15:52:08 +01:00

OpenPgpMetadat: identify verified sigs by SubkeyIdentifier

This commit is contained in:
Paul Schaub 2021-07-04 13:08:24 +02:00
parent 48314fde40
commit 6a90c4303e
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
10 changed files with 55 additions and 53 deletions

View file

@ -243,7 +243,7 @@ public final class DecryptionStreamFactory {
// Watch out! This assignment is possibly done multiple times. // Watch out! This assignment is possibly done multiple times.
encryptedSessionKey = publicKeyEncryptedData; encryptedSessionKey = publicKeyEncryptedData;
decryptionKey = UnlockSecretKey.unlockSecretKey(secretKey, options.getSecretKeyProtector(decryptionKeyRing)); decryptionKey = UnlockSecretKey.unlockSecretKey(secretKey, options.getSecretKeyProtector(decryptionKeyRing));
resultBuilder.setDecryptionFingerprint(new OpenPgpV4Fingerprint(secretKey)); resultBuilder.setDecryptionKey(new SubkeyIdentifier(decryptionKeyRing, decryptionKey.getKeyID()));
} }
} }
@ -265,7 +265,7 @@ public final class DecryptionStreamFactory {
publicKeyEncryptedData.getSymmetricAlgorithm(decryptorFactory); // will only succeed if we have the right secret key publicKeyEncryptedData.getSymmetricAlgorithm(decryptorFactory); // will only succeed if we have the right secret key
LOGGER.log(LEVEL, "Found correct key " + Long.toHexString(key.getKeyID()) + " for hidden recipient decryption."); LOGGER.log(LEVEL, "Found correct key " + Long.toHexString(key.getKeyID()) + " for hidden recipient decryption.");
decryptionKey = privateKey; decryptionKey = privateKey;
resultBuilder.setDecryptionFingerprint(new OpenPgpV4Fingerprint(key)); resultBuilder.setDecryptionKey(new SubkeyIdentifier(ring, decryptionKey.getKeyID()));
encryptedSessionKey = publicKeyEncryptedData; encryptedSessionKey = publicKeyEncryptedData;
break outerloop; break outerloop;
} catch (PGPException | ClassCastException e) { } catch (PGPException | ClassCastException e) {

View file

@ -32,13 +32,14 @@ import org.pgpainless.algorithm.CompressionAlgorithm;
import org.pgpainless.algorithm.StreamEncoding; import org.pgpainless.algorithm.StreamEncoding;
import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.OpenPgpV4Fingerprint;
import org.pgpainless.key.SubkeyIdentifier;
import org.pgpainless.signature.DetachedSignature; import org.pgpainless.signature.DetachedSignature;
import org.pgpainless.signature.OnePassSignature; import org.pgpainless.signature.OnePassSignature;
public class OpenPgpMetadata { public class OpenPgpMetadata {
private final Set<Long> recipientKeyIds; private final Set<Long> recipientKeyIds;
private final OpenPgpV4Fingerprint decryptionFingerprint; private final SubkeyIdentifier decryptionKey;
private final List<OnePassSignature> onePassSignatures; private final List<OnePassSignature> onePassSignatures;
private final List<DetachedSignature> detachedSignatures; private final List<DetachedSignature> detachedSignatures;
private final SymmetricKeyAlgorithm symmetricKeyAlgorithm; private final SymmetricKeyAlgorithm symmetricKeyAlgorithm;
@ -46,7 +47,7 @@ public class OpenPgpMetadata {
private final FileInfo fileInfo; private final FileInfo fileInfo;
public OpenPgpMetadata(Set<Long> recipientKeyIds, public OpenPgpMetadata(Set<Long> recipientKeyIds,
OpenPgpV4Fingerprint decryptionFingerprint, SubkeyIdentifier decryptionKey,
SymmetricKeyAlgorithm symmetricKeyAlgorithm, SymmetricKeyAlgorithm symmetricKeyAlgorithm,
CompressionAlgorithm algorithm, CompressionAlgorithm algorithm,
List<OnePassSignature> onePassSignatures, List<OnePassSignature> onePassSignatures,
@ -54,7 +55,7 @@ public class OpenPgpMetadata {
FileInfo fileInfo) { FileInfo fileInfo) {
this.recipientKeyIds = Collections.unmodifiableSet(recipientKeyIds); this.recipientKeyIds = Collections.unmodifiableSet(recipientKeyIds);
this.decryptionFingerprint = decryptionFingerprint; this.decryptionKey = decryptionKey;
this.symmetricKeyAlgorithm = symmetricKeyAlgorithm; this.symmetricKeyAlgorithm = symmetricKeyAlgorithm;
this.compressionAlgorithm = algorithm; this.compressionAlgorithm = algorithm;
this.detachedSignatures = Collections.unmodifiableList(detachedSignatures); this.detachedSignatures = Collections.unmodifiableList(detachedSignatures);
@ -70,8 +71,8 @@ public class OpenPgpMetadata {
return symmetricKeyAlgorithm != SymmetricKeyAlgorithm.NULL && !getRecipientKeyIds().isEmpty(); return symmetricKeyAlgorithm != SymmetricKeyAlgorithm.NULL && !getRecipientKeyIds().isEmpty();
} }
public OpenPgpV4Fingerprint getDecryptionFingerprint() { public SubkeyIdentifier getDecryptionKey() {
return decryptionFingerprint; return decryptionKey;
} }
public SymmetricKeyAlgorithm getSymmetricKeyAlgorithm() { public SymmetricKeyAlgorithm getSymmetricKeyAlgorithm() {
@ -97,26 +98,22 @@ public class OpenPgpMetadata {
return !getSignatures().isEmpty(); return !getSignatures().isEmpty();
} }
public Map<OpenPgpV4Fingerprint, PGPSignature> getVerifiedSignatures() { public Map<SubkeyIdentifier, PGPSignature> getVerifiedSignatures() {
Map<OpenPgpV4Fingerprint, PGPSignature> verifiedSignatures = new ConcurrentHashMap<>(); Map<SubkeyIdentifier, PGPSignature> verifiedSignatures = new ConcurrentHashMap<>();
for (DetachedSignature detachedSignature : detachedSignatures) { for (DetachedSignature detachedSignature : detachedSignatures) {
if (detachedSignature.isVerified()) { if (detachedSignature.isVerified()) {
verifiedSignatures.put(detachedSignature.getSigningKeyIdentifier().getSubkeyFingerprint(), detachedSignature.getSignature()); verifiedSignatures.put(detachedSignature.getSigningKeyIdentifier(), detachedSignature.getSignature());
} }
} }
for (OnePassSignature onePassSignature : onePassSignatures) { for (OnePassSignature onePassSignature : onePassSignatures) {
if (onePassSignature.isVerified()) { if (onePassSignature.isVerified()) {
verifiedSignatures.put(onePassSignature.getFingerprint(), onePassSignature.getSignature()); verifiedSignatures.put(onePassSignature.getSigningKey(), onePassSignature.getSignature());
} }
} }
return verifiedSignatures; return verifiedSignatures;
} }
public Set<OpenPgpV4Fingerprint> getVerifiedSignatureKeyFingerprints() {
return getVerifiedSignatures().keySet();
}
public boolean isVerified() { public boolean isVerified() {
return !getVerifiedSignatures().isEmpty(); return !getVerifiedSignatures().isEmpty();
} }
@ -132,7 +129,13 @@ public class OpenPgpMetadata {
} }
public boolean containsVerifiedSignatureFrom(OpenPgpV4Fingerprint fingerprint) { public boolean containsVerifiedSignatureFrom(OpenPgpV4Fingerprint fingerprint) {
return getVerifiedSignatureKeyFingerprints().contains(fingerprint); for (SubkeyIdentifier verifiedSigningKey : getVerifiedSignatures().keySet()) {
if (verifiedSigningKey.getPrimaryKeyFingerprint().equals(fingerprint) ||
verifiedSigningKey.getSubkeyFingerprint().equals(fingerprint)) {
return true;
}
}
return false;
} }
public static class Signature { public static class Signature {
@ -235,7 +238,7 @@ public class OpenPgpMetadata {
public static class Builder { public static class Builder {
private final Set<Long> recipientFingerprints = new HashSet<>(); private final Set<Long> recipientFingerprints = new HashSet<>();
private OpenPgpV4Fingerprint decryptionFingerprint; private SubkeyIdentifier decryptionKey;
private final List<DetachedSignature> detachedSignatures = new ArrayList<>(); private final List<DetachedSignature> detachedSignatures = new ArrayList<>();
private final List<OnePassSignature> onePassSignatures = new ArrayList<>(); private final List<OnePassSignature> onePassSignatures = new ArrayList<>();
private SymmetricKeyAlgorithm symmetricKeyAlgorithm = SymmetricKeyAlgorithm.NULL; private SymmetricKeyAlgorithm symmetricKeyAlgorithm = SymmetricKeyAlgorithm.NULL;
@ -247,8 +250,8 @@ public class OpenPgpMetadata {
return this; return this;
} }
public Builder setDecryptionFingerprint(OpenPgpV4Fingerprint fingerprint) { public Builder setDecryptionKey(SubkeyIdentifier decryptionKey) {
this.decryptionFingerprint = fingerprint; this.decryptionKey = decryptionKey;
return this; return this;
} }
@ -280,7 +283,7 @@ public class OpenPgpMetadata {
} }
public OpenPgpMetadata build() { public OpenPgpMetadata build() {
return new OpenPgpMetadata(recipientFingerprints, decryptionFingerprint, return new OpenPgpMetadata(recipientFingerprints, decryptionKey,
symmetricKeyAlgorithm, compressionAlgorithm, symmetricKeyAlgorithm, compressionAlgorithm,
onePassSignatures, detachedSignatures, fileInfo); onePassSignatures, detachedSignatures, fileInfo);
} }

View file

@ -18,6 +18,7 @@ package org.pgpainless.key;
import javax.annotation.Nonnull; import javax.annotation.Nonnull;
import org.bouncycastle.openpgp.PGPKeyRing; import org.bouncycastle.openpgp.PGPKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
/** /**
* Tuple class used to identify a subkey by fingerprints of the primary key of the subkeys key ring, * Tuple class used to identify a subkey by fingerprints of the primary key of the subkeys key ring,
@ -62,6 +63,10 @@ public class SubkeyIdentifier {
this.subkeyFingerprint = subkeyFingerprint; this.subkeyFingerprint = subkeyFingerprint;
} }
public SubkeyIdentifier(PGPSecretKeyRing secretKeys) {
this(secretKeys, secretKeys.getPublicKey().getKeyID());
}
public @Nonnull OpenPgpV4Fingerprint getFingerprint() { public @Nonnull OpenPgpV4Fingerprint getFingerprint() {
return getSubkeyFingerprint(); return getSubkeyFingerprint();
} }

View file

@ -20,6 +20,7 @@ import org.bouncycastle.openpgp.PGPOnePassSignature;
import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.OpenPgpV4Fingerprint;
import org.pgpainless.key.SubkeyIdentifier;
/** /**
* Tuple-class that bundles together a {@link PGPOnePassSignature} object, a {@link PGPPublicKeyRing} * Tuple-class that bundles together a {@link PGPOnePassSignature} object, a {@link PGPPublicKeyRing}
@ -66,8 +67,8 @@ public class OnePassSignature {
* *
* @return signing key fingerprint * @return signing key fingerprint
*/ */
public OpenPgpV4Fingerprint getFingerprint() { public SubkeyIdentifier getSigningKey() {
return new OpenPgpV4Fingerprint(verificationKeys.getPublicKey(onePassSignature.getKeyID())); return new SubkeyIdentifier(verificationKeys, onePassSignature.getKeyID());
} }
/** /**

View file

@ -34,6 +34,7 @@ import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.CompressionAlgorithm;
import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.implementation.ImplementationFactory;
import org.pgpainless.key.SubkeyIdentifier;
import org.pgpainless.key.TestKeys; import org.pgpainless.key.TestKeys;
import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.KeyRingUtils;
@ -82,8 +83,8 @@ public class DecryptAndVerifyMessageTest {
assertEquals(CompressionAlgorithm.ZLIB, metadata.getCompressionAlgorithm()); assertEquals(CompressionAlgorithm.ZLIB, metadata.getCompressionAlgorithm());
assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getSymmetricKeyAlgorithm()); assertEquals(SymmetricKeyAlgorithm.AES_256, metadata.getSymmetricKeyAlgorithm());
assertEquals(1, metadata.getSignatures().size()); assertEquals(1, metadata.getSignatures().size());
assertEquals(1, metadata.getVerifiedSignatureKeyFingerprints().size()); assertEquals(1, metadata.getVerifiedSignatures().size());
assertTrue(metadata.containsVerifiedSignatureFrom(TestKeys.JULIET_FINGERPRINT)); assertTrue(metadata.containsVerifiedSignatureFrom(TestKeys.JULIET_FINGERPRINT));
assertEquals(TestKeys.JULIET_FINGERPRINT, metadata.getDecryptionFingerprint()); assertEquals(new SubkeyIdentifier(TestKeys.JULIET_FINGERPRINT), metadata.getDecryptionKey());
} }
} }

View file

@ -32,7 +32,7 @@ import org.junit.jupiter.params.provider.MethodSource;
import org.pgpainless.PGPainless; import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.EncryptionPurpose;
import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.implementation.ImplementationFactory;
import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.SubkeyIdentifier;
import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.info.KeyRingInfo;
public class DecryptHiddenRecipientMessage { public class DecryptHiddenRecipientMessage {
@ -158,7 +158,7 @@ public class DecryptHiddenRecipientMessage {
List<PGPPublicKey> encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS); List<PGPPublicKey> encryptionKeys = info.getEncryptionSubkeys(EncryptionPurpose.STORAGE_AND_COMMUNICATIONS);
assertEquals(1, encryptionKeys.size()); assertEquals(1, encryptionKeys.size());
assertEquals(new OpenPgpV4Fingerprint(encryptionKeys.iterator().next()), metadata.getDecryptionFingerprint()); assertEquals(new SubkeyIdentifier(secretKeys, encryptionKeys.get(0).getKeyID()), metadata.getDecryptionKey());
assertEquals("Hello Recipient :)", out.toString()); assertEquals("Hello Recipient :)", out.toString());
} }
} }

View file

@ -39,7 +39,6 @@ import org.pgpainless.algorithm.DocumentSignatureType;
import org.pgpainless.encryption_signing.EncryptionStream; import org.pgpainless.encryption_signing.EncryptionStream;
import org.pgpainless.encryption_signing.ProducerOptions; import org.pgpainless.encryption_signing.ProducerOptions;
import org.pgpainless.encryption_signing.SigningOptions; import org.pgpainless.encryption_signing.SigningOptions;
import org.pgpainless.key.OpenPgpV4Fingerprint;
import org.pgpainless.key.TestKeys; import org.pgpainless.key.TestKeys;
import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.info.KeyRingInfo;
import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector;
@ -89,6 +88,6 @@ public class VerifyWithMissingPublicKeyCallback {
assertArrayEquals(msg.getBytes(StandardCharsets.UTF_8), plainOut.toByteArray()); assertArrayEquals(msg.getBytes(StandardCharsets.UTF_8), plainOut.toByteArray());
OpenPgpMetadata metadata = verificationStream.getResult(); OpenPgpMetadata metadata = verificationStream.getResult();
assertTrue(metadata.getVerifiedSignatureKeyFingerprints().contains(new OpenPgpV4Fingerprint(signingKey))); assertTrue(metadata.containsVerifiedSignatureFrom(signingPubKeys));
} }
} }

View file

@ -166,7 +166,7 @@ public class IgnoreMarkerPackets {
decryptionStream.close(); decryptionStream.close();
OpenPgpMetadata metadata = decryptionStream.getResult(); OpenPgpMetadata metadata = decryptionStream.getResult();
assertTrue(metadata.getVerifiedSignatures().containsKey(new OpenPgpV4Fingerprint("D1A66E1A23B182C9980F788CFBFCC82A015E7330"))); assertTrue(metadata.containsVerifiedSignatureFrom(new OpenPgpV4Fingerprint("D1A66E1A23B182C9980F788CFBFCC82A015E7330")));
} }
@Test @Test
@ -216,7 +216,7 @@ public class IgnoreMarkerPackets {
decryptionStream.close(); decryptionStream.close();
assertArrayEquals(data.getBytes(StandardCharsets.UTF_8), outputStream.toByteArray()); assertArrayEquals(data.getBytes(StandardCharsets.UTF_8), outputStream.toByteArray());
OpenPgpMetadata metadata = decryptionStream.getResult(); OpenPgpMetadata metadata = decryptionStream.getResult();
assertTrue(metadata.getVerifiedSignatures().containsKey(new OpenPgpV4Fingerprint("D1A66E1A23B182C9980F788CFBFCC82A015E7330"))); assertTrue(metadata.containsVerifiedSignatureFrom(new OpenPgpV4Fingerprint("D1A66E1A23B182C9980F788CFBFCC82A015E7330")));
} }
@Test @Test

View file

@ -35,7 +35,7 @@ import org.pgpainless.PGPainless;
import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.ConsumerOptions;
import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.DecryptionStream;
import org.pgpainless.decryption_verification.OpenPgpMetadata; import org.pgpainless.decryption_verification.OpenPgpMetadata;
import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.SubkeyIdentifier;
import org.pgpainless.sop.SopKeyUtil; import org.pgpainless.sop.SopKeyUtil;
import picocli.CommandLine; import picocli.CommandLine;
@ -156,18 +156,11 @@ public class Decrypt implements Runnable {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
if (verifyWith != null) { if (verifyWith != null) {
for (OpenPgpV4Fingerprint fingerprint : metadata.getVerifiedSignatures().keySet()) { for (SubkeyIdentifier signingKey : metadata.getVerifiedSignatures().keySet()) {
PGPPublicKeyRing verifier = null; PGPSignature signature = metadata.getVerifiedSignatures().get(signingKey);
for (PGPPublicKeyRing ring : verifyWith) {
if (ring.getPublicKey(fingerprint.getKeyId()) != null) {
verifier = ring;
break;
}
}
PGPSignature signature = metadata.getVerifiedSignatures().get(fingerprint);
sb.append(df.format(signature.getCreationTime())).append(' ') sb.append(df.format(signature.getCreationTime())).append(' ')
.append(fingerprint).append(' ') .append(signingKey.getSubkeyFingerprint()).append(' ')
.append(verifier != null ? new OpenPgpV4Fingerprint(verifier) : "null").append('\n'); .append(signingKey.getPrimaryKeyFingerprint()).append('\n');
} }
try { try {

View file

@ -39,7 +39,7 @@ import org.pgpainless.PGPainless;
import org.pgpainless.decryption_verification.ConsumerOptions; import org.pgpainless.decryption_verification.ConsumerOptions;
import org.pgpainless.decryption_verification.DecryptionStream; import org.pgpainless.decryption_verification.DecryptionStream;
import org.pgpainless.decryption_verification.OpenPgpMetadata; import org.pgpainless.decryption_verification.OpenPgpMetadata;
import org.pgpainless.key.OpenPgpV4Fingerprint; import org.pgpainless.key.SubkeyIdentifier;
import picocli.CommandLine; import picocli.CommandLine;
@CommandLine.Command(name = "verify", @CommandLine.Command(name = "verify",
@ -124,12 +124,12 @@ public class Verify implements Runnable {
return; return;
} }
Map<OpenPgpV4Fingerprint, PGPSignature> signaturesInTimeRange = new HashMap<>(); Map<SubkeyIdentifier, PGPSignature> signaturesInTimeRange = new HashMap<>();
for (OpenPgpV4Fingerprint fingerprint : metadata.getVerifiedSignatures().keySet()) { for (SubkeyIdentifier signingKey : metadata.getVerifiedSignatures().keySet()) {
PGPSignature signature = metadata.getVerifiedSignatures().get(fingerprint); PGPSignature signature = metadata.getVerifiedSignatures().get(signingKey);
Date creationTime = signature.getCreationTime(); Date creationTime = signature.getCreationTime();
if (!creationTime.before(notBeforeDate) && !creationTime.after(notAfterDate)) { if (!creationTime.before(notBeforeDate) && !creationTime.after(notAfterDate)) {
signaturesInTimeRange.put(fingerprint, signature); signaturesInTimeRange.put(signingKey, signature);
} }
} }
@ -141,19 +141,19 @@ public class Verify implements Runnable {
printValidSignatures(signaturesInTimeRange, publicKeys); printValidSignatures(signaturesInTimeRange, publicKeys);
} }
private void printValidSignatures(Map<OpenPgpV4Fingerprint, PGPSignature> validSignatures, Map<PGPPublicKeyRing, File> publicKeys) { private void printValidSignatures(Map<SubkeyIdentifier, PGPSignature> validSignatures, Map<PGPPublicKeyRing, File> publicKeys) {
for (OpenPgpV4Fingerprint sigKeyFp : validSignatures.keySet()) { for (SubkeyIdentifier signingKey : validSignatures.keySet()) {
PGPSignature signature = validSignatures.get(sigKeyFp); PGPSignature signature = validSignatures.get(signingKey);
for (PGPPublicKeyRing ring : publicKeys.keySet()) { for (PGPPublicKeyRing ring : publicKeys.keySet()) {
// Search signing key ring // Search signing key ring
File file = publicKeys.get(ring); File file = publicKeys.get(ring);
if (ring.getPublicKey(sigKeyFp.getKeyId()) == null) { if (ring.getPublicKey(signingKey.getKeyId()) == null) {
continue; continue;
} }
String utcSigDate = df.format(signature.getCreationTime()); String utcSigDate = df.format(signature.getCreationTime());
OpenPgpV4Fingerprint primaryKeyFp = new OpenPgpV4Fingerprint(ring); print_ln(utcSigDate + " " + signingKey.getSubkeyFingerprint() + " " + signingKey.getPrimaryKeyFingerprint() +
print_ln(utcSigDate + " " + sigKeyFp.toString() + " " + primaryKeyFp.toString() +
" signed by " + file.getName()); " signed by " + file.getName());
} }
} }