mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-25 12:27:58 +01:00
Refactor signature checks
This commit is contained in:
parent
74bccb6c82
commit
7c202b6955
1 changed files with 21 additions and 44 deletions
|
@ -196,11 +196,15 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
|
||||||
val issuer = nodeMap[issuerFingerprint]!!
|
val issuer = nodeMap[issuerFingerprint]!!
|
||||||
|
|
||||||
try {
|
try {
|
||||||
val valid = verifyDelegation(candidate, delegation, issuerSigningKey, targetPrimaryKey, policy)
|
// Check signature type
|
||||||
if (valid) {
|
SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION, SignatureType.DIRECT_KEY).verify(delegation)
|
||||||
|
// common verification steps that are shared by delegations and certifications
|
||||||
|
verifyCommonSignatureCriteria(candidate, delegation, issuerSigningKey, targetPrimaryKey, policy)
|
||||||
|
// check signature correctness
|
||||||
|
SignatureValidator.correctSignatureOverKey(issuerSigningKey, targetPrimaryKey).verify(delegation)
|
||||||
|
// only add the edge if the above checks did not throw
|
||||||
networkBuilder.addEdge(fromDelegation(issuer, target, delegation))
|
networkBuilder.addEdge(fromDelegation(issuer, target, delegation))
|
||||||
return // we're done
|
return // we're done
|
||||||
}
|
|
||||||
} catch (e: SignatureValidationException) {
|
} catch (e: SignatureValidationException) {
|
||||||
val targetFingerprint = OpenPgpFingerprint.of(targetPrimaryKey)
|
val targetFingerprint = OpenPgpFingerprint.of(targetPrimaryKey)
|
||||||
LOGGER.warn("Cannot verify signature by $issuerFingerprint" +
|
LOGGER.warn("Cannot verify signature by $issuerFingerprint" +
|
||||||
|
@ -209,23 +213,6 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a delegation signature over a primary key.
|
|
||||||
* This method returns true, if the signature is correct and well-formed.
|
|
||||||
* It does not reject expired or revoked signatures.
|
|
||||||
*/
|
|
||||||
fun verifyDelegation(issuer: KeyRingInfo, signature: PGPSignature, signingKey: PGPPublicKey, signedKey: PGPPublicKey, policy: Policy): Boolean {
|
|
||||||
// Check signature type
|
|
||||||
SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION, SignatureType.DIRECT_KEY).verify(signature)
|
|
||||||
|
|
||||||
// common verification steps that are shared by delegations and certifications
|
|
||||||
verifyCommonSignatureCriteria(issuer, signature, signingKey, signedKey, policy)
|
|
||||||
|
|
||||||
// check signature correctness
|
|
||||||
SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature)
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Process a certification (third-party-issued certification over the given [userId])
|
* Process a certification (third-party-issued certification over the given [userId])
|
||||||
* and add it upon successful verification as an edge to the [Network.Builder].
|
* and add it upon successful verification as an edge to the [Network.Builder].
|
||||||
|
@ -250,11 +237,18 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
|
||||||
val issuer = nodeMap[issuerFingerprint]!!
|
val issuer = nodeMap[issuerFingerprint]!!
|
||||||
|
|
||||||
try {
|
try {
|
||||||
val valid = verifyCertification(candidate, certification, issuerSigningKey, targetPrimaryKey, userId, policy)
|
// check signature type
|
||||||
if (valid) {
|
SignatureValidator.signatureIsOfType(
|
||||||
|
SignatureType.CERTIFICATION_REVOCATION, SignatureType.GENERIC_CERTIFICATION,
|
||||||
|
SignatureType.NO_CERTIFICATION, SignatureType.CASUAL_CERTIFICATION,
|
||||||
|
SignatureType.POSITIVE_CERTIFICATION).verify(certification)
|
||||||
|
// perform shared verification steps
|
||||||
|
verifyCommonSignatureCriteria(candidate, certification, issuerSigningKey, targetPrimaryKey, policy)
|
||||||
|
// check correct signature
|
||||||
|
SignatureValidator.correctSignatureOverUserId(userId, issuerSigningKey, targetPrimaryKey).verify(certification)
|
||||||
|
// Only add the edge, if the above checks did not throw
|
||||||
networkBuilder.addEdge(fromCertification(issuer, target, userId, certification))
|
networkBuilder.addEdge(fromCertification(issuer, target, userId, certification))
|
||||||
return // we're done
|
return // we're done
|
||||||
}
|
|
||||||
} catch (e: SignatureValidationException) {
|
} catch (e: SignatureValidationException) {
|
||||||
LOGGER.warn("Cannot verify signature for '$userId' by $issuerFingerprint" +
|
LOGGER.warn("Cannot verify signature for '$userId' by $issuerFingerprint" +
|
||||||
" on cert of ${target.fingerprint}", e)
|
" on cert of ${target.fingerprint}", e)
|
||||||
|
@ -262,23 +256,6 @@ class WebOfTrust(private val certificateStore: PGPCertificateStore) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Verify a certification over a user-ID.
|
|
||||||
* This method returns true, if the signature is correct and well-formed.
|
|
||||||
* It does not reject expired or revoked signatures.
|
|
||||||
*/
|
|
||||||
fun verifyCertification(issuer: KeyRingInfo, signature: PGPSignature, signingKey: PGPPublicKey, signedKey: PGPPublicKey, userId: String, policy: Policy): Boolean {
|
|
||||||
// check signature type
|
|
||||||
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION, SignatureType.GENERIC_CERTIFICATION, SignatureType.NO_CERTIFICATION, SignatureType.CASUAL_CERTIFICATION, SignatureType.POSITIVE_CERTIFICATION).verify(signature)
|
|
||||||
|
|
||||||
// perform shared verification steps
|
|
||||||
verifyCommonSignatureCriteria(issuer, signature, signingKey, signedKey, policy)
|
|
||||||
|
|
||||||
// check correct signature
|
|
||||||
SignatureValidator.correctSignatureOverUserId(userId, signedKey, signingKey).verify(signature)
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
fun verifyCommonSignatureCriteria(issuer: KeyRingInfo,
|
fun verifyCommonSignatureCriteria(issuer: KeyRingInfo,
|
||||||
signature: PGPSignature,
|
signature: PGPSignature,
|
||||||
signingKey: PGPPublicKey,
|
signingKey: PGPPublicKey,
|
||||||
|
|
Loading…
Reference in a new issue