mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-11-26 22:32:07 +01:00
Adding subkeys, generating keys: Verify subkeys comply to public key algorithm policy
This commit is contained in:
parent
f5c3e7b23f
commit
8b1bdb98f1
14 changed files with 92 additions and 16 deletions
|
@ -39,11 +39,13 @@ import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
|
||||||
import org.pgpainless.PGPainless;
|
import org.pgpainless.PGPainless;
|
||||||
import org.pgpainless.algorithm.HashAlgorithm;
|
import org.pgpainless.algorithm.HashAlgorithm;
|
||||||
import org.pgpainless.algorithm.KeyFlag;
|
import org.pgpainless.algorithm.KeyFlag;
|
||||||
|
import org.pgpainless.algorithm.PublicKeyAlgorithm;
|
||||||
import org.pgpainless.algorithm.SignatureType;
|
import org.pgpainless.algorithm.SignatureType;
|
||||||
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
|
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
|
||||||
import org.pgpainless.implementation.ImplementationFactory;
|
import org.pgpainless.implementation.ImplementationFactory;
|
||||||
import org.pgpainless.key.generation.type.KeyType;
|
import org.pgpainless.key.generation.type.KeyType;
|
||||||
import org.pgpainless.key.protection.UnlockSecretKey;
|
import org.pgpainless.key.protection.UnlockSecretKey;
|
||||||
|
import org.pgpainless.policy.Policy;
|
||||||
import org.pgpainless.provider.ProviderFactory;
|
import org.pgpainless.provider.ProviderFactory;
|
||||||
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
|
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
||||||
|
@ -62,6 +64,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface<KeyRingBuilder> {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public KeyRingBuilder setPrimaryKey(@Nonnull KeySpec keySpec) {
|
public KeyRingBuilder setPrimaryKey(@Nonnull KeySpec keySpec) {
|
||||||
|
verifyKeySpecCompliesToPolicy(keySpec, PGPainless.getPolicy());
|
||||||
verifyMasterKeyCanCertify(keySpec);
|
verifyMasterKeyCanCertify(keySpec);
|
||||||
this.primaryKeySpec = keySpec;
|
this.primaryKeySpec = keySpec;
|
||||||
return this;
|
return this;
|
||||||
|
@ -69,6 +72,7 @@ public class KeyRingBuilder implements KeyRingBuilderInterface<KeyRingBuilder> {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public KeyRingBuilder addSubkey(@Nonnull KeySpec keySpec) {
|
public KeyRingBuilder addSubkey(@Nonnull KeySpec keySpec) {
|
||||||
|
verifyKeySpecCompliesToPolicy(keySpec, PGPainless.getPolicy());
|
||||||
this.subkeySpecs.add(keySpec);
|
this.subkeySpecs.add(keySpec);
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
@ -107,6 +111,16 @@ public class KeyRingBuilder implements KeyRingBuilderInterface<KeyRingBuilder> {
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void verifyKeySpecCompliesToPolicy(KeySpec keySpec, Policy policy) {
|
||||||
|
PublicKeyAlgorithm publicKeyAlgorithm = keySpec.getKeyType().getAlgorithm();
|
||||||
|
int bitStrength = keySpec.getKeyType().getBitStrength();
|
||||||
|
|
||||||
|
if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
|
||||||
|
throw new IllegalArgumentException("Public key algorithm policy violation: " +
|
||||||
|
publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private void verifyMasterKeyCanCertify(KeySpec spec) {
|
private void verifyMasterKeyCanCertify(KeySpec spec) {
|
||||||
if (!hasCertifyOthersFlag(spec)) {
|
if (!hasCertifyOthersFlag(spec)) {
|
||||||
throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER");
|
throw new IllegalArgumentException("Certification Key MUST have KeyFlag CERTIFY_OTHER");
|
||||||
|
|
|
@ -27,7 +27,7 @@ public class KeySpec {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Nonnull
|
@Nonnull
|
||||||
KeyType getKeyType() {
|
public KeyType getKeyType() {
|
||||||
return keyType;
|
return keyType;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,12 @@ public interface KeyType {
|
||||||
*/
|
*/
|
||||||
PublicKeyAlgorithm getAlgorithm();
|
PublicKeyAlgorithm getAlgorithm();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the strength of the key in bits.
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
int getBitStrength();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return an implementation of {@link AlgorithmParameterSpec} that can be used to generate the key.
|
* Return an implementation of {@link AlgorithmParameterSpec} that can be used to generate the key.
|
||||||
*
|
*
|
||||||
|
|
|
@ -15,22 +15,28 @@ import org.pgpainless.key.generation.type.xdh.XDHSpec;
|
||||||
* {@link XDHSpec} and {@link org.pgpainless.key.generation.type.eddsa.EdDSACurve}.
|
* {@link XDHSpec} and {@link org.pgpainless.key.generation.type.eddsa.EdDSACurve}.
|
||||||
*/
|
*/
|
||||||
public enum EllipticCurve {
|
public enum EllipticCurve {
|
||||||
_P256("prime256v1"), // prime256v1 is equivalent to P-256, see https://tools.ietf.org/search/rfc4492#page-32
|
_P256("prime256v1", 256), // prime256v1 is equivalent to P-256, see https://tools.ietf.org/search/rfc4492#page-32
|
||||||
_P384("secp384r1"), // secp384r1 is equivalent to P-384, see https://tools.ietf.org/search/rfc4492#page-32
|
_P384("secp384r1", 384), // secp384r1 is equivalent to P-384, see https://tools.ietf.org/search/rfc4492#page-32
|
||||||
_P521("secp521r1"), // secp521r1 is equivalent to P-521, see https://tools.ietf.org/search/rfc4492#page-32
|
_P521("secp521r1", 521), // secp521r1 is equivalent to P-521, see https://tools.ietf.org/search/rfc4492#page-32
|
||||||
_SECP256K1("secp256k1"),
|
_SECP256K1("secp256k1", 256),
|
||||||
_BRAINPOOLP256R1("brainpoolP256r1"),
|
_BRAINPOOLP256R1("brainpoolP256r1", 256),
|
||||||
_BRAINPOOLP384R1("brainpoolP384r1"),
|
_BRAINPOOLP384R1("brainpoolP384r1", 384),
|
||||||
_BRAINPOOLP512R1("brainpoolP512r1")
|
_BRAINPOOLP512R1("brainpoolP512r1", 512)
|
||||||
;
|
;
|
||||||
|
|
||||||
private final String name;
|
private final String name;
|
||||||
|
private final int bitStrength;
|
||||||
|
|
||||||
EllipticCurve(@Nonnull String name) {
|
EllipticCurve(@Nonnull String name, int bitStrength) {
|
||||||
this.name = name;
|
this.name = name;
|
||||||
|
this.bitStrength = bitStrength;
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getName() {
|
public String getName() {
|
||||||
return name;
|
return name;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public int getBitStrength() {
|
||||||
|
return bitStrength;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,6 +34,11 @@ public final class ECDH implements KeyType {
|
||||||
return PublicKeyAlgorithm.ECDH;
|
return PublicKeyAlgorithm.ECDH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getBitStrength() {
|
||||||
|
return curve.getBitStrength();
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AlgorithmParameterSpec getAlgorithmSpec() {
|
public AlgorithmParameterSpec getAlgorithmSpec() {
|
||||||
return new ECNamedCurveGenParameterSpec(curve.getName());
|
return new ECNamedCurveGenParameterSpec(curve.getName());
|
||||||
|
|
|
@ -35,6 +35,11 @@ public final class ECDSA implements KeyType {
|
||||||
return PublicKeyAlgorithm.ECDSA;
|
return PublicKeyAlgorithm.ECDSA;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getBitStrength() {
|
||||||
|
return curve.getBitStrength();
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AlgorithmParameterSpec getAlgorithmSpec() {
|
public AlgorithmParameterSpec getAlgorithmSpec() {
|
||||||
return new ECNamedCurveGenParameterSpec(curve.getName());
|
return new ECNamedCurveGenParameterSpec(curve.getName());
|
||||||
|
|
|
@ -35,6 +35,11 @@ public final class EdDSA implements KeyType {
|
||||||
return PublicKeyAlgorithm.EDDSA;
|
return PublicKeyAlgorithm.EDDSA;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getBitStrength() {
|
||||||
|
return curve.getBitStrength();
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AlgorithmParameterSpec getAlgorithmSpec() {
|
public AlgorithmParameterSpec getAlgorithmSpec() {
|
||||||
return new ECNamedCurveGenParameterSpec(curve.getName());
|
return new ECNamedCurveGenParameterSpec(curve.getName());
|
||||||
|
|
|
@ -7,16 +7,22 @@ package org.pgpainless.key.generation.type.eddsa;
|
||||||
import javax.annotation.Nonnull;
|
import javax.annotation.Nonnull;
|
||||||
|
|
||||||
public enum EdDSACurve {
|
public enum EdDSACurve {
|
||||||
_Ed25519("ed25519"),
|
_Ed25519("ed25519", 256),
|
||||||
;
|
;
|
||||||
|
|
||||||
final String name;
|
final String name;
|
||||||
|
final int bitStrength;
|
||||||
|
|
||||||
EdDSACurve(@Nonnull String curveName) {
|
EdDSACurve(@Nonnull String curveName, int bitStrength) {
|
||||||
this.name = curveName;
|
this.name = curveName;
|
||||||
|
this.bitStrength = bitStrength;
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getName() {
|
public String getName() {
|
||||||
return name;
|
return name;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public int getBitStrength() {
|
||||||
|
return bitStrength;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,6 +36,11 @@ public final class ElGamal implements KeyType {
|
||||||
return PublicKeyAlgorithm.ELGAMAL_ENCRYPT;
|
return PublicKeyAlgorithm.ELGAMAL_ENCRYPT;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getBitStrength() {
|
||||||
|
return length.getLength();
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AlgorithmParameterSpec getAlgorithmSpec() {
|
public AlgorithmParameterSpec getAlgorithmSpec() {
|
||||||
return new ElGamalParameterSpec(length.getP(), length.getG());
|
return new ElGamalParameterSpec(length.getP(), length.getG());
|
||||||
|
|
|
@ -36,6 +36,11 @@ public class RSA implements KeyType {
|
||||||
return PublicKeyAlgorithm.RSA_GENERAL;
|
return PublicKeyAlgorithm.RSA_GENERAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getBitStrength() {
|
||||||
|
return length.getLength();
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AlgorithmParameterSpec getAlgorithmSpec() {
|
public AlgorithmParameterSpec getAlgorithmSpec() {
|
||||||
return new RSAKeyGenParameterSpec(length.getLength(), RSAKeyGenParameterSpec.F4);
|
return new RSAKeyGenParameterSpec(length.getLength(), RSAKeyGenParameterSpec.F4);
|
||||||
|
|
|
@ -32,6 +32,11 @@ public final class XDH implements KeyType {
|
||||||
return PublicKeyAlgorithm.ECDH;
|
return PublicKeyAlgorithm.ECDH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getBitStrength() {
|
||||||
|
return spec.getBitStrength();
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AlgorithmParameterSpec getAlgorithmSpec() {
|
public AlgorithmParameterSpec getAlgorithmSpec() {
|
||||||
return new ECNamedCurveGenParameterSpec(spec.getName());
|
return new ECNamedCurveGenParameterSpec(spec.getName());
|
||||||
|
|
|
@ -7,15 +7,17 @@ package org.pgpainless.key.generation.type.xdh;
|
||||||
import javax.annotation.Nonnull;
|
import javax.annotation.Nonnull;
|
||||||
|
|
||||||
public enum XDHSpec {
|
public enum XDHSpec {
|
||||||
_X25519("X25519", "curve25519"),
|
_X25519("X25519", "curve25519", 256),
|
||||||
;
|
;
|
||||||
|
|
||||||
final String name;
|
final String name;
|
||||||
final String curveName;
|
final String curveName;
|
||||||
|
final int bitStrength;
|
||||||
|
|
||||||
XDHSpec(@Nonnull String name, @Nonnull String curveName) {
|
XDHSpec(@Nonnull String name, @Nonnull String curveName, int bitStrength) {
|
||||||
this.name = name;
|
this.name = name;
|
||||||
this.curveName = curveName;
|
this.curveName = curveName;
|
||||||
|
this.bitStrength = bitStrength;
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getName() {
|
public String getName() {
|
||||||
|
@ -25,4 +27,8 @@ public enum XDHSpec {
|
||||||
public String getCurveName() {
|
public String getCurveName() {
|
||||||
return curveName;
|
return curveName;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public int getBitStrength() {
|
||||||
|
return bitStrength;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -70,6 +70,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketGeneratorUtil;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
import org.pgpainless.signature.subpackets.SignatureSubpackets;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
|
||||||
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
||||||
|
import org.pgpainless.util.BCUtil;
|
||||||
import org.pgpainless.util.CollectionUtils;
|
import org.pgpainless.util.CollectionUtils;
|
||||||
import org.pgpainless.util.Passphrase;
|
import org.pgpainless.util.Passphrase;
|
||||||
import org.pgpainless.util.selection.userid.SelectUserId;
|
import org.pgpainless.util.selection.userid.SelectUserId;
|
||||||
|
@ -169,7 +170,6 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
|
||||||
@Nonnull Passphrase subKeyPassphrase,
|
@Nonnull Passphrase subKeyPassphrase,
|
||||||
@Nonnull SecretKeyRingProtector secretKeyRingProtector)
|
@Nonnull SecretKeyRingProtector secretKeyRingProtector)
|
||||||
throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException {
|
throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, IOException {
|
||||||
|
|
||||||
PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec);
|
PGPKeyPair keyPair = KeyRingBuilder.generateKeyPair(keySpec);
|
||||||
|
|
||||||
SecretKeyRingProtector subKeyProtector = PasswordBasedSecretKeyRingProtector
|
SecretKeyRingProtector subKeyProtector = PasswordBasedSecretKeyRingProtector
|
||||||
|
@ -216,11 +216,19 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
|
||||||
@Nonnull SecretKeyRingProtector primaryKeyProtector,
|
@Nonnull SecretKeyRingProtector primaryKeyProtector,
|
||||||
@Nonnull KeyFlag keyFlag,
|
@Nonnull KeyFlag keyFlag,
|
||||||
KeyFlag... additionalKeyFlags)
|
KeyFlag... additionalKeyFlags)
|
||||||
throws PGPException, IOException {
|
throws PGPException, IOException, NoSuchAlgorithmException {
|
||||||
KeyFlag[] flags = concat(keyFlag, additionalKeyFlags);
|
KeyFlag[] flags = concat(keyFlag, additionalKeyFlags);
|
||||||
PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm());
|
PublicKeyAlgorithm subkeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm());
|
||||||
SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm);
|
SignatureSubpacketsUtil.assureKeyCanCarryFlags(subkeyAlgorithm);
|
||||||
|
|
||||||
|
// check key against public key algorithm policy
|
||||||
|
PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.fromId(subkey.getPublicKey().getAlgorithm());
|
||||||
|
int bitStrength = BCUtil.getBitStrength(subkey.getPublicKey());
|
||||||
|
if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) {
|
||||||
|
throw new IllegalArgumentException("Public key algorithm policy violation: " +
|
||||||
|
publicKeyAlgorithm + " with bit strength " + bitStrength + " is not acceptable.");
|
||||||
|
}
|
||||||
|
|
||||||
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
||||||
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
|
||||||
PublicKeyAlgorithm signingKeyAlgorithm = PublicKeyAlgorithm.fromId(primaryKey.getPublicKey().getAlgorithm());
|
PublicKeyAlgorithm signingKeyAlgorithm = PublicKeyAlgorithm.fromId(primaryKey.getPublicKey().getAlgorithm());
|
||||||
|
|
|
@ -119,7 +119,7 @@ public interface SecretKeyRingEditorInterface {
|
||||||
@Nonnull SecretKeyRingProtector primaryKeyProtector,
|
@Nonnull SecretKeyRingProtector primaryKeyProtector,
|
||||||
@Nonnull KeyFlag keyFlag,
|
@Nonnull KeyFlag keyFlag,
|
||||||
KeyFlag... additionalKeyFlags)
|
KeyFlag... additionalKeyFlags)
|
||||||
throws PGPException, IOException;
|
throws PGPException, IOException, NoSuchAlgorithmException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Revoke the key ring.
|
* Revoke the key ring.
|
||||||
|
|
Loading…
Reference in a new issue