mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-22 19:08:00 +01:00
Test modifyKeyRing().addSubkey() respects pk algorithm policy
This commit is contained in:
parent
e7d0cf9c00
commit
8d6aca0d04
1 changed files with 87 additions and 0 deletions
|
@ -0,0 +1,87 @@
|
|||
// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package org.pgpainless.key.modification;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.EnumMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.algorithm.EncryptionPurpose;
|
||||
import org.pgpainless.algorithm.KeyFlag;
|
||||
import org.pgpainless.algorithm.PublicKeyAlgorithm;
|
||||
import org.pgpainless.key.generation.KeySpec;
|
||||
import org.pgpainless.key.generation.type.KeyType;
|
||||
import org.pgpainless.key.generation.type.rsa.RsaLength;
|
||||
import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterface;
|
||||
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||
import org.pgpainless.policy.Policy;
|
||||
import org.pgpainless.util.Passphrase;
|
||||
|
||||
public class RefuseToAddWeakSubkeyTest {
|
||||
|
||||
@Test
|
||||
public void testEditorRefusesToAddWeakSubkey() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
|
||||
// ensure default policy is set
|
||||
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
|
||||
|
||||
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
|
||||
.modernKeyRing("Alice", null);
|
||||
SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys);
|
||||
KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS).build();
|
||||
|
||||
assertThrows(IllegalArgumentException.class, () ->
|
||||
editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys()));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testEditorAllowsToAddWeakSubkeyIfCompliesToPublicKeyAlgorithmPolicy() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException {
|
||||
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
|
||||
.modernKeyRing("Alice", null);
|
||||
|
||||
// set weak policy
|
||||
Map<PublicKeyAlgorithm, Integer> minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class);
|
||||
// §5.4.1
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 1024);
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.RSA_SIGN, 1024);
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.RSA_ENCRYPT, 1024);
|
||||
// Note: ElGamal is not mentioned in the BSI document.
|
||||
// We assume that the requirements are similar to other DH algorithms
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.ELGAMAL_ENCRYPT, 2000);
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.ELGAMAL_GENERAL, 2000);
|
||||
// §5.4.2
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.DSA, 2000);
|
||||
// §5.4.3
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.ECDSA, 250);
|
||||
// Note: EdDSA is not mentioned in the BSI document.
|
||||
// We assume that the requirements are similar to other EC algorithms.
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.EDDSA, 250);
|
||||
// §7.2.1
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000);
|
||||
// §7.2.2
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.ECDH, 250);
|
||||
minimalBitStrengths.put(PublicKeyAlgorithm.EC, 250);
|
||||
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(minimalBitStrengths));
|
||||
|
||||
SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys);
|
||||
KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS).build();
|
||||
|
||||
secretKeys = editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys())
|
||||
.done();
|
||||
|
||||
assertEquals(2, PGPainless.inspectKeyRing(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size());
|
||||
|
||||
// reset default policy
|
||||
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.defaultPublicKeyAlgorithmPolicy());
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue