1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-26 06:12:06 +01:00

s/{validation|evaluation}Date/referenceTime/g

This commit is contained in:
Paul Schaub 2022-06-24 12:47:35 +02:00
parent 0c0f82ce2e
commit 7e0b1b344c
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
3 changed files with 179 additions and 118 deletions

View file

@ -56,7 +56,7 @@ public class KeyRingInfo {
private final PGPKeyRing keys; private final PGPKeyRing keys;
private final Signatures signatures; private final Signatures signatures;
private final Date evaluationDate; private final Date referenceDate;
private final String primaryUserId; private final String primaryUserId;
/** /**
@ -99,7 +99,7 @@ public class KeyRingInfo {
public KeyRingInfo(PGPKeyRing keys, Policy policy, Date validationDate) { public KeyRingInfo(PGPKeyRing keys, Policy policy, Date validationDate) {
this.keys = keys; this.keys = keys;
this.signatures = new Signatures(keys, validationDate, policy); this.signatures = new Signatures(keys, validationDate, policy);
this.evaluationDate = validationDate; this.referenceDate = validationDate;
this.primaryUserId = findPrimaryUserId(); this.primaryUserId = findPrimaryUserId();
} }
@ -413,7 +413,7 @@ public class KeyRingInfo {
} }
if (certification.getHashedSubPackets().isPrimaryUserID()) { if (certification.getHashedSubPackets().isPrimaryUserID()) {
Date keyExpiration = SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(certification, keys.getPublicKey()); Date keyExpiration = SignatureSubpacketsUtil.getKeyExpirationTimeAsDate(certification, keys.getPublicKey());
if (keyExpiration != null && evaluationDate.after(keyExpiration)) { if (keyExpiration != null && referenceDate.after(keyExpiration)) {
return false; return false;
} }
} }
@ -1097,9 +1097,9 @@ public class KeyRingInfo {
private final Map<Long, PGPSignature> subkeyRevocations; private final Map<Long, PGPSignature> subkeyRevocations;
private final Map<Long, PGPSignature> subkeyBindings; private final Map<Long, PGPSignature> subkeyBindings;
public Signatures(PGPKeyRing keyRing, Date evaluationDate, Policy policy) { public Signatures(PGPKeyRing keyRing, Date referenceDate, Policy policy) {
primaryKeyRevocation = SignaturePicker.pickCurrentRevocationSelfSignature(keyRing, policy, evaluationDate); primaryKeyRevocation = SignaturePicker.pickCurrentRevocationSelfSignature(keyRing, policy, referenceDate);
primaryKeySelfSignature = SignaturePicker.pickLatestDirectKeySignature(keyRing, policy, evaluationDate); primaryKeySelfSignature = SignaturePicker.pickLatestDirectKeySignature(keyRing, policy, referenceDate);
userIdRevocations = new HashMap<>(); userIdRevocations = new HashMap<>();
userIdCertifications = new HashMap<>(); userIdCertifications = new HashMap<>();
subkeyRevocations = new HashMap<>(); subkeyRevocations = new HashMap<>();
@ -1107,11 +1107,11 @@ public class KeyRingInfo {
for (Iterator<String> it = keyRing.getPublicKey().getUserIDs(); it.hasNext(); ) { for (Iterator<String> it = keyRing.getPublicKey().getUserIDs(); it.hasNext(); ) {
String userId = it.next(); String userId = it.next();
PGPSignature revocation = SignaturePicker.pickCurrentUserIdRevocationSignature(keyRing, userId, policy, evaluationDate); PGPSignature revocation = SignaturePicker.pickCurrentUserIdRevocationSignature(keyRing, userId, policy, referenceDate);
if (revocation != null) { if (revocation != null) {
userIdRevocations.put(userId, revocation); userIdRevocations.put(userId, revocation);
} }
PGPSignature certification = SignaturePicker.pickLatestUserIdCertificationSignature(keyRing, userId, policy, evaluationDate); PGPSignature certification = SignaturePicker.pickLatestUserIdCertificationSignature(keyRing, userId, policy, referenceDate);
if (certification != null) { if (certification != null) {
userIdCertifications.put(userId, certification); userIdCertifications.put(userId, certification);
} }
@ -1121,11 +1121,11 @@ public class KeyRingInfo {
keys.next(); // Skip primary key keys.next(); // Skip primary key
while (keys.hasNext()) { while (keys.hasNext()) {
PGPPublicKey subkey = keys.next(); PGPPublicKey subkey = keys.next();
PGPSignature subkeyRevocation = SignaturePicker.pickCurrentSubkeyBindingRevocationSignature(keyRing, subkey, policy, evaluationDate); PGPSignature subkeyRevocation = SignaturePicker.pickCurrentSubkeyBindingRevocationSignature(keyRing, subkey, policy, referenceDate);
if (subkeyRevocation != null) { if (subkeyRevocation != null) {
subkeyRevocations.put(subkey.getKeyID(), subkeyRevocation); subkeyRevocations.put(subkey.getKeyID(), subkeyRevocation);
} }
PGPSignature subkeyBinding = SignaturePicker.pickLatestSubkeyBindingSignature(keyRing, subkey, policy, evaluationDate); PGPSignature subkeyBinding = SignaturePicker.pickLatestSubkeyBindingSignature(keyRing, subkey, policy, referenceDate);
if (subkeyBinding != null) { if (subkeyBinding != null) {
subkeyBindings.put(subkey.getKeyID(), subkeyBinding); subkeyBindings.put(subkey.getKeyID(), subkeyBinding);
} }

View file

@ -44,14 +44,15 @@ public abstract class SignatureValidator {
/** /**
* Check, whether there is the possibility that the given signature was created by the given key. * Check, whether there is the possibility that the given signature was created by the given key.
* {@link #verify(PGPSignature)} throws a {@link SignatureValidationException} if we can say with certainty that the signature * {@link #verify(PGPSignature)} throws a {@link SignatureValidationException} if we can say with certainty that
* was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet). * the signature was not created by the given key (e.g. if the sig carries another issuer, issuer fingerprint packet).
* *
* If there is no information found in the signature about who created it (no issuer, no fingerprint), * If there is no information found in the signature about who created it (no issuer, no fingerprint),
* {@link #verify(PGPSignature)} will simply return since it is plausible that the given key created the sig. * {@link #verify(PGPSignature)} will simply return since it is plausible that the given key created the sig.
* *
* @param signingKey signing key * @param signingKey signing key
* @return validator that throws a {@link SignatureValidationException} if the signature was not possibly made by the given key. * @return validator that throws a {@link SignatureValidationException} if the signature was not possibly made by
* the given key.
*/ */
public static SignatureValidator wasPossiblyMadeByKey(PGPPublicKey signingKey) { public static SignatureValidator wasPossiblyMadeByKey(PGPPublicKey signingKey) {
return new SignatureValidator() { return new SignatureValidator() {
@ -62,14 +63,17 @@ public abstract class SignatureValidator {
Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature); Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
if (issuer != null) { if (issuer != null) {
if (issuer != signingKey.getKeyID()) { if (issuer != signingKey.getKeyID()) {
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")"); throw new SignatureValidationException("Signature was not created by " +
signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
} }
} }
OpenPgpFingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature); OpenPgpFingerprint fingerprint =
SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
if (fingerprint != null) { if (fingerprint != null) {
if (!fingerprint.equals(signingKeyFingerprint)) { if (!fingerprint.equals(signingKeyFingerprint)) {
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")"); throw new SignatureValidationException("Signature was not created by " +
signingKeyFingerprint + " (signature fingerprint: " + fingerprint + ")");
} }
} }
@ -86,10 +90,12 @@ public abstract class SignatureValidator {
* @param primaryKey primary key * @param primaryKey primary key
* @param subkey subkey * @param subkey subkey
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return validator * @return validator
*/ */
public static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) { public static SignatureValidator hasValidPrimaryKeyBindingSignatureIfRequired(PGPPublicKey primaryKey,
PGPPublicKey subkey, Policy policy,
Date referenceDate) {
return new SignatureValidator() { return new SignatureValidator() {
@Override @Override
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
@ -117,7 +123,7 @@ public abstract class SignatureValidator {
try { try {
signatureStructureIsAcceptable(subkey, policy).verify(embedded); signatureStructureIsAcceptable(subkey, policy).verify(embedded);
signatureIsEffective(validationDate).verify(embedded); signatureIsEffective(referenceDate).verify(embedded);
correctPrimaryKeyBindingSignature(primaryKey, subkey).verify(embedded); correctPrimaryKeyBindingSignature(primaryKey, subkey).verify(embedded);
hasValidPrimaryKeyBinding = true; hasValidPrimaryKeyBinding = true;
@ -129,7 +135,9 @@ public abstract class SignatureValidator {
} }
if (!hasValidPrimaryKeyBinding) { if (!hasValidPrimaryKeyBinding) {
throw new SignatureValidationException("Missing primary key binding signature on signing capable subkey " + Long.toHexString(subkey.getKeyID()), rejectedEmbeddedSigs); throw new SignatureValidationException(
"Missing primary key binding signature on signing capable subkey " +
Long.toHexString(subkey.getKeyID()), rejectedEmbeddedSigs);
} }
} catch (PGPException e) { } catch (PGPException e) {
throw new SignatureValidationException("Cannot process list of embedded signatures.", e); throw new SignatureValidationException("Cannot process list of embedded signatures.", e);
@ -165,7 +173,8 @@ public abstract class SignatureValidator {
* @param signingKey signing key * @param signingKey signing key
* @return validator * @return validator
*/ */
private static SignatureValidator signatureUsesAcceptablePublicKeyAlgorithm(Policy policy, PGPPublicKey signingKey) { private static SignatureValidator signatureUsesAcceptablePublicKeyAlgorithm(Policy policy,
PGPPublicKey signingKey) {
return new SignatureValidator() { return new SignatureValidator() {
@Override @Override
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
@ -176,7 +185,8 @@ public abstract class SignatureValidator {
} }
if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) { if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
throw new SignatureValidationException("Signature was made using unacceptable key. " + throw new SignatureValidationException("Signature was made using unacceptable key. " +
algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy."); algorithm + " (" + bitStrength +
" bits) is not acceptable according to the public key algorithm policy.");
} }
} }
}; };
@ -194,13 +204,16 @@ public abstract class SignatureValidator {
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
try { try {
HashAlgorithm hashAlgorithm = HashAlgorithm.requireFromId(signature.getHashAlgorithm()); HashAlgorithm hashAlgorithm = HashAlgorithm.requireFromId(signature.getHashAlgorithm());
Policy.HashAlgorithmPolicy hashAlgorithmPolicy = getHashAlgorithmPolicyForSignature(signature, policy); Policy.HashAlgorithmPolicy hashAlgorithmPolicy =
getHashAlgorithmPolicyForSignature(signature, policy);
if (!hashAlgorithmPolicy.isAcceptable(signature.getHashAlgorithm(), signature.getCreationTime())) { if (!hashAlgorithmPolicy.isAcceptable(signature.getHashAlgorithm(), signature.getCreationTime())) {
throw new SignatureValidationException("Signature uses unacceptable hash algorithm " + hashAlgorithm + throw new SignatureValidationException("Signature uses unacceptable hash algorithm " +
" (Signature creation time: " + DateUtil.formatUTCDate(signature.getCreationTime()) + ")"); hashAlgorithm + " (Signature creation time: " +
DateUtil.formatUTCDate(signature.getCreationTime()) + ")");
} }
} catch (NoSuchElementException e) { } catch (NoSuchElementException e) {
throw new SignatureValidationException("Signature uses unknown hash algorithm " + signature.getHashAlgorithm()); throw new SignatureValidationException("Signature uses unknown hash algorithm " +
signature.getHashAlgorithm());
} }
} }
}; };
@ -214,10 +227,12 @@ public abstract class SignatureValidator {
* @param policy revocation policy for revocation sigs, normal policy for non-rev sigs * @param policy revocation policy for revocation sigs, normal policy for non-rev sigs
* @return policy * @return policy
*/ */
private static Policy.HashAlgorithmPolicy getHashAlgorithmPolicyForSignature(PGPSignature signature, Policy policy) { private static Policy.HashAlgorithmPolicy getHashAlgorithmPolicyForSignature(PGPSignature signature,
Policy policy) {
SignatureType type = SignatureType.valueOf(signature.getSignatureType()); SignatureType type = SignatureType.valueOf(signature.getSignatureType());
Policy.HashAlgorithmPolicy hashAlgorithmPolicy; Policy.HashAlgorithmPolicy hashAlgorithmPolicy;
if (type == SignatureType.CERTIFICATION_REVOCATION || type == SignatureType.KEY_REVOCATION || type == SignatureType.SUBKEY_REVOCATION) { if (type == SignatureType.CERTIFICATION_REVOCATION || type == SignatureType.KEY_REVOCATION ||
type == SignatureType.SUBKEY_REVOCATION) {
hashAlgorithmPolicy = policy.getRevocationSignatureHashAlgorithmPolicy(); hashAlgorithmPolicy = policy.getRevocationSignatureHashAlgorithmPolicy();
} else { } else {
hashAlgorithmPolicy = policy.getSignatureHashAlgorithmPolicy(); hashAlgorithmPolicy = policy.getSignatureHashAlgorithmPolicy();
@ -241,7 +256,8 @@ public abstract class SignatureValidator {
continue; continue;
} }
if (!registry.isKnownNotation(notation.getNotationName())) { if (!registry.isKnownNotation(notation.getNotationName())) {
throw new SignatureValidationException("Signature contains unknown critical notation '" + notation.getNotationName() + "' in its hashed area."); throw new SignatureValidationException("Signature contains unknown critical notation '" +
notation.getNotationName() + "' in its hashed area.");
} }
} }
} }
@ -262,7 +278,9 @@ public abstract class SignatureValidator {
try { try {
SignatureSubpacket.requireFromCode(criticalTag); SignatureSubpacket.requireFromCode(criticalTag);
} catch (NoSuchElementException e) { } catch (NoSuchElementException e) {
throw new SignatureValidationException("Signature contains unknown critical subpacket of type " + Long.toHexString(criticalTag)); throw new SignatureValidationException(
"Signature contains unknown critical subpacket of type " +
Long.toHexString(criticalTag));
} }
} }
} }
@ -281,15 +299,15 @@ public abstract class SignatureValidator {
/** /**
* Verify that a signature is effective at the given reference date. * Verify that a signature is effective at the given reference date.
* *
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return validator * @return validator
*/ */
public static SignatureValidator signatureIsEffective(Date validationDate) { public static SignatureValidator signatureIsEffective(Date referenceDate) {
return new SignatureValidator() { return new SignatureValidator() {
@Override @Override
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
signatureIsAlreadyEffective(validationDate).verify(signature); signatureIsAlreadyEffective(referenceDate).verify(signature);
signatureIsNotYetExpired(validationDate).verify(signature); signatureIsNotYetExpired(referenceDate).verify(signature);
} }
}; };
} }
@ -297,10 +315,10 @@ public abstract class SignatureValidator {
/** /**
* Verify that a signature was created prior to the given reference date. * Verify that a signature was created prior to the given reference date.
* *
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return validator * @return validator
*/ */
public static SignatureValidator signatureIsAlreadyEffective(Date validationDate) { public static SignatureValidator signatureIsAlreadyEffective(Date referenceDate) {
return new SignatureValidator() { return new SignatureValidator() {
@Override @Override
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
@ -310,8 +328,9 @@ public abstract class SignatureValidator {
return; return;
} }
if (signatureCreationTime.after(validationDate)) { if (signatureCreationTime.after(referenceDate)) {
throw new SignatureValidationException("Signature was created at " + signatureCreationTime + " and is therefore not yet valid at " + validationDate); throw new SignatureValidationException("Signature was created at " + signatureCreationTime +
" and is therefore not yet valid at " + referenceDate);
} }
} }
}; };
@ -320,10 +339,10 @@ public abstract class SignatureValidator {
/** /**
* Verify that a signature is not yet expired. * Verify that a signature is not yet expired.
* *
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return validator * @return validator
*/ */
public static SignatureValidator signatureIsNotYetExpired(Date validationDate) { public static SignatureValidator signatureIsNotYetExpired(Date referenceDate) {
return new SignatureValidator() { return new SignatureValidator() {
@Override @Override
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
@ -333,8 +352,9 @@ public abstract class SignatureValidator {
} }
Date signatureExpirationTime = SignatureSubpacketsUtil.getSignatureExpirationTimeAsDate(signature); Date signatureExpirationTime = SignatureSubpacketsUtil.getSignatureExpirationTimeAsDate(signature);
if (signatureExpirationTime != null && signatureExpirationTime.before(validationDate)) { if (signatureExpirationTime != null && signatureExpirationTime.before(referenceDate)) {
throw new SignatureValidationException("Signature is already expired (expiration: " + signatureExpirationTime + ", validation: " + validationDate + ")"); throw new SignatureValidationException("Signature is already expired (expiration: " +
signatureExpirationTime + ", validation: " + referenceDate + ")");
} }
} }
}; };
@ -375,7 +395,8 @@ public abstract class SignatureValidator {
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
SignatureCreationTime creationTime = SignatureSubpacketsUtil.getSignatureCreationTime(signature); SignatureCreationTime creationTime = SignatureSubpacketsUtil.getSignatureCreationTime(signature);
if (creationTime == null) { if (creationTime == null) {
throw new SignatureValidationException("Malformed signature. Signature has no signature creation time subpacket in its hashed area."); throw new SignatureValidationException(
"Malformed signature. Signature has no signature creation time subpacket in its hashed area.");
} }
} }
}; };
@ -405,7 +426,8 @@ public abstract class SignatureValidator {
Date signatureCreationTime = signature.getCreationTime(); Date signatureCreationTime = signature.getCreationTime();
if (keyCreationTime.after(signatureCreationTime)) { if (keyCreationTime.after(signatureCreationTime)) {
throw new SignatureValidationException("Signature predates key (key creation: " + keyCreationTime + ", signature creation: " + signatureCreationTime + ")"); throw new SignatureValidationException("Signature predates key (key creation: " +
keyCreationTime + ", signature creation: " + signatureCreationTime + ")");
} }
} }
}; };
@ -425,7 +447,8 @@ public abstract class SignatureValidator {
return; return;
} }
boolean predatesBindingSig = true; boolean predatesBindingSig = true;
Iterator<PGPSignature> bindingSignatures = signingKey.getSignaturesOfType(SignatureType.SUBKEY_BINDING.getCode()); Iterator<PGPSignature> bindingSignatures =
signingKey.getSignaturesOfType(SignatureType.SUBKEY_BINDING.getCode());
if (!bindingSignatures.hasNext()) { if (!bindingSignatures.hasNext()) {
throw new SignatureValidationException("Signing subkey does not have a subkey binding signature."); throw new SignatureValidationException("Signing subkey does not have a subkey binding signature.");
} }
@ -436,7 +459,8 @@ public abstract class SignatureValidator {
} }
} }
if (predatesBindingSig) { if (predatesBindingSig) {
throw new SignatureValidationException("Signature was created before the signing key was bound to the key ring."); throw new SignatureValidationException(
"Signature was created before the signing key was bound to the key ring.");
} }
} }
}; };
@ -457,7 +481,8 @@ public abstract class SignatureValidator {
throw new SignatureValidationException("Primary key cannot be its own subkey."); throw new SignatureValidationException("Primary key cannot be its own subkey.");
} }
try { try {
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), primaryKey); signature.init(ImplementationFactory.getInstance()
.getPGPContentVerifierBuilderProvider(), primaryKey);
boolean valid = signature.verifyCertification(primaryKey, subkey); boolean valid = signature.verifyCertification(primaryKey, subkey);
if (!valid) { if (!valid) {
throw new SignatureValidationException("Signature is not correct."); throw new SignatureValidationException("Signature is not correct.");
@ -487,7 +512,8 @@ public abstract class SignatureValidator {
throw new SignatureValidationException("Primary Key Binding Signature is not correct."); throw new SignatureValidationException("Primary Key Binding Signature is not correct.");
} }
} catch (PGPException | ClassCastException e) { } catch (PGPException | ClassCastException e) {
throw new SignatureValidationException("Cannot verify primary key binding signature correctness", e); throw new SignatureValidationException(
"Cannot verify primary key binding signature correctness", e);
} }
} }
}; };
@ -554,7 +580,8 @@ public abstract class SignatureValidator {
} }
} }
if (!valid) { if (!valid) {
throw new SignatureValidationException("Signature is of type " + type + " while only " + Arrays.toString(signatureTypes) + " are allowed here."); throw new SignatureValidationException("Signature is of type " + type + " while only " +
Arrays.toString(signatureTypes) + " are allowed here.");
} }
} }
}; };
@ -568,18 +595,22 @@ public abstract class SignatureValidator {
* @param certifyingKey key that created the signature. * @param certifyingKey key that created the signature.
* @return validator * @return validator
*/ */
public static SignatureValidator correctSignatureOverUserId(String userId, PGPPublicKey certifiedKey, PGPPublicKey certifyingKey) { public static SignatureValidator correctSignatureOverUserId(String userId, PGPPublicKey certifiedKey,
PGPPublicKey certifyingKey) {
return new SignatureValidator() { return new SignatureValidator() {
@Override @Override
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
try { try {
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), certifyingKey); signature.init(ImplementationFactory.getInstance()
.getPGPContentVerifierBuilderProvider(), certifyingKey);
boolean valid = signature.verifyCertification(userId, certifiedKey); boolean valid = signature.verifyCertification(userId, certifiedKey);
if (!valid) { if (!valid) {
throw new SignatureValidationException("Signature over user-id '" + userId + "' is not correct."); throw new SignatureValidationException("Signature over user-id '" + userId +
"' is not correct.");
} }
} catch (PGPException | ClassCastException e) { } catch (PGPException | ClassCastException e) {
throw new SignatureValidationException("Cannot verify signature over user-id '" + userId + "'.", e); throw new SignatureValidationException("Cannot verify signature over user-id '" +
userId + "'.", e);
} }
} }
}; };
@ -593,12 +624,15 @@ public abstract class SignatureValidator {
* @param certifyingKey key that created the certification signature * @param certifyingKey key that created the certification signature
* @return validator * @return validator
*/ */
public static SignatureValidator correctSignatureOverUserAttributes(PGPUserAttributeSubpacketVector userAttributes, PGPPublicKey certifiedKey, PGPPublicKey certifyingKey) { public static SignatureValidator correctSignatureOverUserAttributes(PGPUserAttributeSubpacketVector userAttributes,
PGPPublicKey certifiedKey,
PGPPublicKey certifyingKey) {
return new SignatureValidator() { return new SignatureValidator() {
@Override @Override
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
try { try {
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), certifyingKey); signature.init(ImplementationFactory.getInstance()
.getPGPContentVerifierBuilderProvider(), certifyingKey);
boolean valid = signature.verifyCertification(userAttributes, certifiedKey); boolean valid = signature.verifyCertification(userAttributes, certifiedKey);
if (!valid) { if (!valid) {
throw new SignatureValidationException("Signature over user-attribute vector is not correct."); throw new SignatureValidationException("Signature over user-attribute vector is not correct.");
@ -616,12 +650,16 @@ public abstract class SignatureValidator {
public void verify(PGPSignature signature) throws SignatureValidationException { public void verify(PGPSignature signature) throws SignatureValidationException {
Date timestamp = signature.getCreationTime(); Date timestamp = signature.getCreationTime();
if (notBefore != null && timestamp.before(notBefore)) { if (notBefore != null && timestamp.before(notBefore)) {
throw new SignatureValidationException("Signature was made before the earliest allowed signature creation time. Created: " + throw new SignatureValidationException(
DateUtil.formatUTCDate(timestamp) + " Earliest allowed: " + DateUtil.formatUTCDate(notBefore)); "Signature was made before the earliest allowed signature creation time. Created: " +
DateUtil.formatUTCDate(timestamp) + " Earliest allowed: " +
DateUtil.formatUTCDate(notBefore));
} }
if (notAfter != null && timestamp.after(notAfter)) { if (notAfter != null && timestamp.after(notAfter)) {
throw new SignatureValidationException("Signature was made after the latest allowed signature creation time. Created: " + throw new SignatureValidationException(
DateUtil.formatUTCDate(timestamp) + " Latest allowed: " + DateUtil.formatUTCDate(notAfter)); "Signature was made after the latest allowed signature creation time. Created: " +
DateUtil.formatUTCDate(timestamp) + " Latest allowed: " +
DateUtil.formatUTCDate(notAfter));
} }
} }
}; };

View file

@ -36,12 +36,13 @@ public final class SignatureVerifier {
* @param signingKey key that created the certification * @param signingKey key that created the certification
* @param keyWithUserId key carrying the user-id * @param keyWithUserId key carrying the user-id
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if signature verification is successful * @return true if signature verification is successful
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate) public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserId, Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureType type = SignatureType.valueOf(signature.getSignatureType()); SignatureType type = SignatureType.valueOf(signature.getSignatureType());
switch (type) { switch (type) {
@ -49,9 +50,9 @@ public final class SignatureVerifier {
case NO_CERTIFICATION: case NO_CERTIFICATION:
case CASUAL_CERTIFICATION: case CASUAL_CERTIFICATION:
case POSITIVE_CERTIFICATION: case POSITIVE_CERTIFICATION:
return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, validationDate); return verifyUserIdCertification(userId, signature, signingKey, keyWithUserId, policy, referenceDate);
case CERTIFICATION_REVOCATION: case CERTIFICATION_REVOCATION:
return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, validationDate); return verifyUserIdRevocation(userId, signature, signingKey, keyWithUserId, policy, referenceDate);
default: default:
throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type); throw new SignatureValidationException("Signature is not a valid user-id certification/revocation signature: " + type);
} }
@ -64,14 +65,15 @@ public final class SignatureVerifier {
* @param signature certification signature * @param signature certification signature
* @param primaryKey primary key * @param primaryKey primary key
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the self-signature is verified successfully * @return true if the self-signature is verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate) public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, validationDate); return verifyUserIdCertification(userId, signature, primaryKey, primaryKey, policy, referenceDate);
} }
/** /**
@ -82,17 +84,18 @@ public final class SignatureVerifier {
* @param signingKey key that created the certification * @param signingKey key that created the certification
* @param keyWithUserId primary key that carries the user-id * @param keyWithUserId primary key that carries the user-id
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if signature verification is successful * @return true if signature verification is successful
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate) public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserId, Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature); SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureIsCertification().verify(signature); SignatureValidator.signatureIsCertification().verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature); SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
return true; return true;
@ -105,14 +108,15 @@ public final class SignatureVerifier {
* @param signature user-id revocation signature * @param signature user-id revocation signature
* @param primaryKey primary key * @param primaryKey primary key
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the user-id revocation signature is successfully verified * @return true if the user-id revocation signature is successfully verified
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate) public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, validationDate); return verifyUserIdRevocation(userId, signature, primaryKey, primaryKey, policy, referenceDate);
} }
/** /**
@ -123,17 +127,18 @@ public final class SignatureVerifier {
* @param signingKey key that created the revocation signature * @param signingKey key that created the revocation signature
* @param keyWithUserId primary key carrying the user-id * @param keyWithUserId primary key carrying the user-id
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the user-id revocation signature is successfully verified * @return true if the user-id revocation signature is successfully verified
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate) public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserId, Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature); SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature); SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature); SignatureValidator.correctSignatureOverUserId(userId, keyWithUserId, signingKey).verify(signature);
return true; return true;
@ -146,16 +151,17 @@ public final class SignatureVerifier {
* @param signature certification self-signature * @param signature certification self-signature
* @param primaryKey primary key that carries the user-attributes * @param primaryKey primary key that carries the user-attributes
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the signature can be verified successfully * @return true if the signature can be verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes, public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey primaryKey, PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date validationDate) Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy, validationDate); return verifyUserAttributesCertification(userAttributes, signature, primaryKey, primaryKey, policy,
referenceDate);
} }
/** /**
@ -166,7 +172,7 @@ public final class SignatureVerifier {
* @param signingKey key that created the user-attributes certification * @param signingKey key that created the user-attributes certification
* @param keyWithUserAttributes key that carries the user-attributes certification * @param keyWithUserAttributes key that carries the user-attributes certification
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the signature can be verified successfully * @return true if the signature can be verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
@ -174,13 +180,14 @@ public final class SignatureVerifier {
public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes, public static boolean verifyUserAttributesCertification(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey signingKey, PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserAttributes, Policy policy, PGPPublicKey keyWithUserAttributes, Policy policy,
Date validationDate) Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature); SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureIsCertification().verify(signature); SignatureValidator.signatureIsCertification().verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature); SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey)
.verify(signature);
return true; return true;
} }
@ -192,16 +199,16 @@ public final class SignatureVerifier {
* @param signature user-attributes revocation signature * @param signature user-attributes revocation signature
* @param primaryKey primary key that carries the user-attributes * @param primaryKey primary key that carries the user-attributes
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the revocation signature can be verified successfully * @return true if the revocation signature can be verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes, public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey primaryKey, PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date validationDate) Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, validationDate); return verifyUserAttributesRevocation(userAttributes, signature, primaryKey, primaryKey, policy, referenceDate);
} }
/** /**
@ -212,7 +219,7 @@ public final class SignatureVerifier {
* @param signingKey revocation key * @param signingKey revocation key
* @param keyWithUserAttributes key that carries the user-attributes * @param keyWithUserAttributes key that carries the user-attributes
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the revocation signature can be verified successfully * @return true if the revocation signature can be verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
@ -220,13 +227,14 @@ public final class SignatureVerifier {
public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes, public static boolean verifyUserAttributesRevocation(PGPUserAttributeSubpacketVector userAttributes,
PGPSignature signature, PGPPublicKey signingKey, PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey keyWithUserAttributes, Policy policy, PGPPublicKey keyWithUserAttributes, Policy policy,
Date validationDate) Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature); SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature); SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey).verify(signature); SignatureValidator.correctSignatureOverUserAttributes(userAttributes, keyWithUserAttributes, signingKey)
.verify(signature);
return true; return true;
} }
@ -238,18 +246,20 @@ public final class SignatureVerifier {
* @param primaryKey primary key * @param primaryKey primary key
* @param subkey subkey * @param subkey subkey
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the binding signature can be verified successfully * @return true if the binding signature can be verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) public static boolean verifySubkeyBindingSignature(PGPSignature signature, PGPPublicKey primaryKey,
PGPPublicKey subkey, Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature); SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_BINDING).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature); SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
SignatureValidator.hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, validationDate).verify(signature); SignatureValidator.hasValidPrimaryKeyBindingSignatureIfRequired(primaryKey, subkey, policy, referenceDate)
.verify(signature);
SignatureValidator.correctSubkeyBindingSignature(primaryKey, subkey).verify(signature); SignatureValidator.correctSubkeyBindingSignature(primaryKey, subkey).verify(signature);
return true; return true;
@ -262,16 +272,18 @@ public final class SignatureVerifier {
* @param primaryKey primary key * @param primaryKey primary key
* @param subkey subkey * @param subkey subkey
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the subkey revocation signature can be verified successfully * @return true if the subkey revocation signature can be verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey, PGPPublicKey subkey, Policy policy, Date validationDate) throws SignatureValidationException { public static boolean verifySubkeyBindingRevocation(PGPSignature signature, PGPPublicKey primaryKey,
PGPPublicKey subkey, Policy policy, Date referenceDate)
throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature); SignatureValidator.signatureIsOfType(SignatureType.SUBKEY_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature); SignatureValidator.signatureDoesNotPredateSignee(subkey).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
SignatureValidator.correctSignatureOverKey(primaryKey, subkey).verify(signature); SignatureValidator.correctSignatureOverKey(primaryKey, subkey).verify(signature);
return true; return true;
@ -283,14 +295,15 @@ public final class SignatureVerifier {
* @param signature signature * @param signature signature
* @param primaryKey primary key * @param primaryKey primary key
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the signature can be verified successfully * @return true if the signature can be verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate) public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, validationDate); return verifyDirectKeySignature(signature, primaryKey, primaryKey, policy, referenceDate);
} }
/** /**
@ -300,17 +313,18 @@ public final class SignatureVerifier {
* @param signingKey signing key * @param signingKey signing key
* @param signedKey signed key * @param signedKey signed key
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if signature verification is successful * @return true if signature verification is successful
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey signedKey, Policy policy, Date validationDate) public static boolean verifyDirectKeySignature(PGPSignature signature, PGPPublicKey signingKey,
PGPPublicKey signedKey, Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature); SignatureValidator.signatureIsOfType(SignatureType.DIRECT_KEY).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureDoesNotPredateSignee(signedKey).verify(signature); SignatureValidator.signatureDoesNotPredateSignee(signedKey).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature); SignatureValidator.correctSignatureOverKey(signingKey, signedKey).verify(signature);
return true; return true;
@ -322,16 +336,17 @@ public final class SignatureVerifier {
* @param signature signature * @param signature signature
* @param primaryKey primary key * @param primaryKey primary key
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if signature verification is successful * @return true if signature verification is successful
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate) public static boolean verifyKeyRevocationSignature(PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature); SignatureValidator.signatureIsOfType(SignatureType.KEY_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(primaryKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
SignatureValidator.correctSignatureOverKey(primaryKey, primaryKey).verify(signature); SignatureValidator.correctSignatureOverKey(primaryKey, primaryKey).verify(signature);
return true; return true;
@ -344,14 +359,16 @@ public final class SignatureVerifier {
* @param signedData input stream containing the signed data * @param signedData input stream containing the signed data
* @param signingKey the key that created the signature * @param signingKey the key that created the signature
* @param policy policy * @param policy policy
* @param validationDate reference date of signature verification * @param referenceDate reference date of signature verification
* @return true if the signature is successfully verified * @return true if the signature is successfully verified
* *
* @throws SignatureValidationException if the signature verification fails for some reason * @throws SignatureValidationException if the signature verification fails for some reason
*/ */
public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey, Policy policy, Date validationDate) throws SignatureValidationException { public static boolean verifyUninitializedSignature(PGPSignature signature, InputStream signedData,
PGPPublicKey signingKey, Policy policy, Date referenceDate)
throws SignatureValidationException {
initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey); initializeSignatureAndUpdateWithSignedData(signature, signedData, signingKey);
return verifyInitializedSignature(signature, signingKey, policy, validationDate); return verifyInitializedSignature(signature, signingKey, policy, referenceDate);
} }
/** /**
@ -363,7 +380,8 @@ public final class SignatureVerifier {
* *
* @throws SignatureValidationException in case the signature cannot be verified for some reason * @throws SignatureValidationException in case the signature cannot be verified for some reason
*/ */
public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData, PGPPublicKey signingKey) public static void initializeSignatureAndUpdateWithSignedData(PGPSignature signature, InputStream signedData,
PGPPublicKey signingKey)
throws SignatureValidationException { throws SignatureValidationException {
try { try {
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey); signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
@ -399,16 +417,17 @@ public final class SignatureVerifier {
* @param signature OpenPGP signature * @param signature OpenPGP signature
* @param signingKey key that created the signature * @param signingKey key that created the signature
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if signature is verified successfully * @return true if signature is verified successfully
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy, Date validationDate) public static boolean verifyInitializedSignature(PGPSignature signature, PGPPublicKey signingKey, Policy policy,
Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature); SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature); SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature); SignatureValidator.signatureIsEffective(referenceDate).verify(signature);
try { try {
if (!signature.verify()) { if (!signature.verify()) {
@ -420,7 +439,8 @@ public final class SignatureVerifier {
} }
} }
public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignatureCheck onePassSignature, Policy policy) public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey,
OnePassSignatureCheck onePassSignature, Policy policy)
throws SignatureValidationException { throws SignatureValidationException {
try { try {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature); SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
@ -435,10 +455,12 @@ public final class SignatureVerifier {
throw new IllegalStateException("No comparison signature provided."); throw new IllegalStateException("No comparison signature provided.");
} }
if (!onePassSignature.getOnePassSignature().verify(signature)) { if (!onePassSignature.getOnePassSignature().verify(signature)) {
throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID())); throw new SignatureValidationException("Bad signature of key " +
Long.toHexString(signingKey.getKeyID()));
} }
} catch (PGPException e) { } catch (PGPException e) {
throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e); throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " +
e.getMessage(), e);
} }
return true; return true;
@ -451,13 +473,14 @@ public final class SignatureVerifier {
* @param signature self-signature * @param signature self-signature
* @param primaryKey primary key that created the signature * @param primaryKey primary key that created the signature
* @param policy policy * @param policy policy
* @param validationDate reference date for signature verification * @param referenceDate reference date for signature verification
* @return true if the signature is successfully verified * @return true if the signature is successfully verified
* *
* @throws SignatureValidationException if signature verification fails for some reason * @throws SignatureValidationException if signature verification fails for some reason
*/ */
public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey, Policy policy, Date validationDate) public static boolean verifySignatureOverUserId(String userId, PGPSignature signature, PGPPublicKey primaryKey,
Policy policy, Date referenceDate)
throws SignatureValidationException { throws SignatureValidationException {
return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, validationDate); return verifySignatureOverUserId(userId, signature, primaryKey, primaryKey, policy, referenceDate);
} }
} }