mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-25 04:17:59 +01:00
Validate PublicKeyAlgorithmPolicy when generating keys
This commit is contained in:
parent
6c02b9ad44
commit
6df4211985
2 changed files with 35 additions and 0 deletions
|
@ -42,6 +42,14 @@ open class OpenPgpKeyBuilder(
|
|||
flags: List<KeyFlag>? = listOf(KeyFlag.CERTIFY_OTHER)
|
||||
): V4OpenPgpKeyBuilder = V4OpenPgpKeyBuilder(keyType, flags, policy, referenceTime, preferences)
|
||||
|
||||
internal fun verifyAlgorithmComplianceWithPolicy(keyType: KeyType, policy: Policy) {
|
||||
val algorithm = keyType.algorithm
|
||||
val bitStrength = keyType.bitStrength
|
||||
require(policy.publicKeyAlgorithmPolicy.isAcceptable(algorithm, bitStrength)) {
|
||||
"Public key algorithm policy violation: $algorithm with bit strength $bitStrength is not acceptable."
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Builder for version 4 OpenPGP keys.
|
||||
*
|
||||
|
@ -60,6 +68,10 @@ open class OpenPgpKeyBuilder(
|
|||
preferences: AlgorithmSuite
|
||||
) : OpenPgpKeyBuilder(policy, referenceTime, preferences) {
|
||||
|
||||
init {
|
||||
verifyAlgorithmComplianceWithPolicy(primaryKeyType, policy)
|
||||
}
|
||||
|
||||
private val primaryKey =
|
||||
BaseOpenPgpKeyBuilder.BaseV4PrimaryKeyBuilder(primaryKeyType, referenceTime, policy)
|
||||
private val subkeys = mutableListOf<BaseOpenPgpKeyBuilder.BaseV4SubkeyBuilder>()
|
||||
|
@ -140,6 +152,7 @@ open class OpenPgpKeyBuilder(
|
|||
subkeyBuilder: BaseOpenPgpKeyBuilder.BaseV4SubkeyBuilder,
|
||||
subpacketsCallback: SelfSignatureSubpackets.Callback = SelfSignatureSubpackets.nop()
|
||||
) = apply {
|
||||
verifyAlgorithmComplianceWithPolicy(subkeyBuilder.type, policy)
|
||||
subkeys.add(subkeyBuilder.bindingSignature(subpacketsCallback = subpacketsCallback))
|
||||
}
|
||||
|
||||
|
|
|
@ -3,10 +3,13 @@ package org.pgpainless.key.generation
|
|||
import org.bouncycastle.bcpg.attr.ImageAttribute
|
||||
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVectorGenerator
|
||||
import org.junit.jupiter.api.Test
|
||||
import org.junit.jupiter.api.assertThrows
|
||||
import org.pgpainless.PGPainless
|
||||
import org.pgpainless.algorithm.KeyFlag
|
||||
import org.pgpainless.algorithm.PublicKeyAlgorithm
|
||||
import org.pgpainless.key.generation.type.KeyType
|
||||
import org.pgpainless.key.generation.type.eddsa.EdDSACurve
|
||||
import org.pgpainless.key.generation.type.rsa.RsaLength
|
||||
import org.pgpainless.key.generation.type.xdh.XDHSpec
|
||||
import org.pgpainless.key.protection.SecretKeyRingProtector
|
||||
import org.pgpainless.policy.Policy
|
||||
|
@ -49,4 +52,23 @@ class OpenPgpKeyBuilderTest {
|
|||
.build()
|
||||
println(PGPainless.asciiArmor(key))
|
||||
}
|
||||
|
||||
@Test
|
||||
fun testKeyGenerationWithUnacceptablePKAlgorithmFails() {
|
||||
// Policy only allows RSA 4096 algorithms
|
||||
val policy =
|
||||
Policy(
|
||||
publicKeyAlgorithmPolicy =
|
||||
Policy.PublicKeyAlgorithmPolicy(mapOf(PublicKeyAlgorithm.RSA_GENERAL to 4096)))
|
||||
val builder = OpenPgpKeyBuilder(policy)
|
||||
|
||||
assertThrows<IllegalArgumentException> {
|
||||
builder.buildV4Key(KeyType.RSA(RsaLength._3072)) // too weak
|
||||
}
|
||||
|
||||
val v4Builder = builder.buildV4Key(KeyType.RSA(RsaLength._4096)) // ok
|
||||
assertThrows<IllegalArgumentException> {
|
||||
v4Builder.addSigningSubkey(KeyType.RSA(RsaLength._2048)) // too weak
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue