mirror of
https://github.com/pgpainless/pgpainless.git
synced 2025-01-12 21:26:26 +01:00
Validate PublicKeyAlgorithmPolicy when generating keys
This commit is contained in:
parent
6c02b9ad44
commit
6df4211985
2 changed files with 35 additions and 0 deletions
|
@ -42,6 +42,14 @@ open class OpenPgpKeyBuilder(
|
||||||
flags: List<KeyFlag>? = listOf(KeyFlag.CERTIFY_OTHER)
|
flags: List<KeyFlag>? = listOf(KeyFlag.CERTIFY_OTHER)
|
||||||
): V4OpenPgpKeyBuilder = V4OpenPgpKeyBuilder(keyType, flags, policy, referenceTime, preferences)
|
): V4OpenPgpKeyBuilder = V4OpenPgpKeyBuilder(keyType, flags, policy, referenceTime, preferences)
|
||||||
|
|
||||||
|
internal fun verifyAlgorithmComplianceWithPolicy(keyType: KeyType, policy: Policy) {
|
||||||
|
val algorithm = keyType.algorithm
|
||||||
|
val bitStrength = keyType.bitStrength
|
||||||
|
require(policy.publicKeyAlgorithmPolicy.isAcceptable(algorithm, bitStrength)) {
|
||||||
|
"Public key algorithm policy violation: $algorithm with bit strength $bitStrength is not acceptable."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Builder for version 4 OpenPGP keys.
|
* Builder for version 4 OpenPGP keys.
|
||||||
*
|
*
|
||||||
|
@ -60,6 +68,10 @@ open class OpenPgpKeyBuilder(
|
||||||
preferences: AlgorithmSuite
|
preferences: AlgorithmSuite
|
||||||
) : OpenPgpKeyBuilder(policy, referenceTime, preferences) {
|
) : OpenPgpKeyBuilder(policy, referenceTime, preferences) {
|
||||||
|
|
||||||
|
init {
|
||||||
|
verifyAlgorithmComplianceWithPolicy(primaryKeyType, policy)
|
||||||
|
}
|
||||||
|
|
||||||
private val primaryKey =
|
private val primaryKey =
|
||||||
BaseOpenPgpKeyBuilder.BaseV4PrimaryKeyBuilder(primaryKeyType, referenceTime, policy)
|
BaseOpenPgpKeyBuilder.BaseV4PrimaryKeyBuilder(primaryKeyType, referenceTime, policy)
|
||||||
private val subkeys = mutableListOf<BaseOpenPgpKeyBuilder.BaseV4SubkeyBuilder>()
|
private val subkeys = mutableListOf<BaseOpenPgpKeyBuilder.BaseV4SubkeyBuilder>()
|
||||||
|
@ -140,6 +152,7 @@ open class OpenPgpKeyBuilder(
|
||||||
subkeyBuilder: BaseOpenPgpKeyBuilder.BaseV4SubkeyBuilder,
|
subkeyBuilder: BaseOpenPgpKeyBuilder.BaseV4SubkeyBuilder,
|
||||||
subpacketsCallback: SelfSignatureSubpackets.Callback = SelfSignatureSubpackets.nop()
|
subpacketsCallback: SelfSignatureSubpackets.Callback = SelfSignatureSubpackets.nop()
|
||||||
) = apply {
|
) = apply {
|
||||||
|
verifyAlgorithmComplianceWithPolicy(subkeyBuilder.type, policy)
|
||||||
subkeys.add(subkeyBuilder.bindingSignature(subpacketsCallback = subpacketsCallback))
|
subkeys.add(subkeyBuilder.bindingSignature(subpacketsCallback = subpacketsCallback))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -3,10 +3,13 @@ package org.pgpainless.key.generation
|
||||||
import org.bouncycastle.bcpg.attr.ImageAttribute
|
import org.bouncycastle.bcpg.attr.ImageAttribute
|
||||||
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator
|
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator
|
||||||
import org.junit.jupiter.api.Test
|
import org.junit.jupiter.api.Test
|
||||||
|
import org.junit.jupiter.api.assertThrows
|
||||||
import org.pgpainless.PGPainless
|
import org.pgpainless.PGPainless
|
||||||
import org.pgpainless.algorithm.KeyFlag
|
import org.pgpainless.algorithm.KeyFlag
|
||||||
|
import org.pgpainless.algorithm.PublicKeyAlgorithm
|
||||||
import org.pgpainless.key.generation.type.KeyType
|
import org.pgpainless.key.generation.type.KeyType
|
||||||
import org.pgpainless.key.generation.type.eddsa.EdDSACurve
|
import org.pgpainless.key.generation.type.eddsa.EdDSACurve
|
||||||
|
import org.pgpainless.key.generation.type.rsa.RsaLength
|
||||||
import org.pgpainless.key.generation.type.xdh.XDHSpec
|
import org.pgpainless.key.generation.type.xdh.XDHSpec
|
||||||
import org.pgpainless.key.protection.SecretKeyRingProtector
|
import org.pgpainless.key.protection.SecretKeyRingProtector
|
||||||
import org.pgpainless.policy.Policy
|
import org.pgpainless.policy.Policy
|
||||||
|
@ -49,4 +52,23 @@ class OpenPgpKeyBuilderTest {
|
||||||
.build()
|
.build()
|
||||||
println(PGPainless.asciiArmor(key))
|
println(PGPainless.asciiArmor(key))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun testKeyGenerationWithUnacceptablePKAlgorithmFails() {
|
||||||
|
// Policy only allows RSA 4096 algorithms
|
||||||
|
val policy =
|
||||||
|
Policy(
|
||||||
|
publicKeyAlgorithmPolicy =
|
||||||
|
Policy.PublicKeyAlgorithmPolicy(mapOf(PublicKeyAlgorithm.RSA_GENERAL to 4096)))
|
||||||
|
val builder = OpenPgpKeyBuilder(policy)
|
||||||
|
|
||||||
|
assertThrows<IllegalArgumentException> {
|
||||||
|
builder.buildV4Key(KeyType.RSA(RsaLength._3072)) // too weak
|
||||||
|
}
|
||||||
|
|
||||||
|
val v4Builder = builder.buildV4Key(KeyType.RSA(RsaLength._4096)) // ok
|
||||||
|
assertThrows<IllegalArgumentException> {
|
||||||
|
v4Builder.addSigningSubkey(KeyType.RSA(RsaLength._2048)) // too weak
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue