From bf9bf94fb0bd4ec88bdee7157765cfc826dc1f1d Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Fri, 21 Jul 2023 16:38:34 +0200 Subject: [PATCH] Integrate WoT by adding EncryptionOptions.addAuthenticatableRecipients() method --- .../authentication/CertificateAuthority.java | 17 +++++++++++ .../encryption_signing/EncryptionOptions.java | 28 +++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/authentication/CertificateAuthority.java b/pgpainless-core/src/main/java/org/pgpainless/authentication/CertificateAuthority.java index 7f48c9c6..5c7f60cd 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/authentication/CertificateAuthority.java +++ b/pgpainless-core/src/main/java/org/pgpainless/authentication/CertificateAuthority.java @@ -8,6 +8,7 @@ import org.pgpainless.key.OpenPgpFingerprint; import javax.annotation.Nonnull; import java.util.Date; +import java.util.List; public interface CertificateAuthority { @@ -30,4 +31,20 @@ public interface CertificateAuthority { boolean email, @Nonnull Date referenceTime, int targetAmount); + + /** + * Identify certificates, which carry a trustworthy binding to the given userId. + * + * @param userId userId + * @param email if true, the user-ID will be treated as an email address and all user-IDs containing + * the email address will be matched. + * @param referenceTime reference time at which the binding shall be evaluated + * @param targetAmount target trust amount (120 = fully authenticated, 240 = doubly authenticated, + * 60 = partially authenticated...) + * @return list of identified bindings + */ + List identify(@Nonnull String userId, + boolean email, + @Nonnull Date referenceTime, + int targetAmount); } diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java index 248a8ce4..44122bdc 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/EncryptionOptions.java @@ -23,6 +23,8 @@ import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator; import org.bouncycastle.openpgp.operator.PublicKeyKeyEncryptionMethodGenerator; import org.pgpainless.algorithm.EncryptionPurpose; import org.pgpainless.algorithm.SymmetricKeyAlgorithm; +import org.pgpainless.authentication.CertificateAuthenticity; +import org.pgpainless.authentication.CertificateAuthority; import org.pgpainless.exception.KeyException; import org.pgpainless.implementation.ImplementationFactory; import org.pgpainless.key.OpenPgpFingerprint; @@ -113,6 +115,32 @@ public class EncryptionOptions { return new EncryptionOptions(EncryptionPurpose.STORAGE); } + /** + * Identify authenticatable certificates for the given user-ID by querying the {@link CertificateAuthority} for + * identifiable bindings. + * Add all acceptable bindings, whose trust amount is larger or equal to the target amount to the list of recipients. + * @param userId userId + * @param email if true, treat the user-ID as an email address and match all user-IDs containing the mail address + * @param authority certificate authority + * @param targetAmount target amount (120 = fully authenticated, 240 = doubly authenticated, + * 60 = partially authenticated...) + * @return encryption options + */ + public EncryptionOptions addAuthenticatableRecipients(String userId, boolean email, CertificateAuthority authority, int targetAmount) { + List identifiedCertificates = authority.identify(userId, email, new Date(), targetAmount); + boolean foundAcceptable = false; + for (CertificateAuthenticity candidate : identifiedCertificates) { + if (candidate.isAuthenticated()) { + addRecipient(candidate.getCertificate()); + foundAcceptable = true; + } + } + if (!foundAcceptable) { + throw new IllegalArgumentException("Could not identify any trust-worthy certificates for '" + userId + "' and target trust amount " + targetAmount); + } + return this; + } + /** * Add all key rings in the provided {@link Iterable} (e.g. {@link PGPPublicKeyRingCollection}) as recipients. *