From c39d5a09ce029bdfced3da718aca029311266d6f Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 12 Apr 2022 21:08:21 +0200 Subject: [PATCH] WIP: Fix fake signature issuer test --- .../consumer/SignatureValidator.java | 34 ++++++++++++------- .../subpackets/SignatureSubpacketsUtil.java | 25 ++++++++++++++ 2 files changed, 47 insertions(+), 12 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java index 51bfa7c3..e6c02ae0 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java @@ -59,13 +59,23 @@ public abstract class SignatureValidator { public void verify(PGPSignature signature) throws SignatureValidationException { OpenPgpFingerprint signingKeyFingerprint = OpenPgpFingerprint.of(signingKey); - Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature); - if (issuer != null) { - if (issuer != signingKey.getKeyID()) { - throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")"); + List issuers = SignatureSubpacketsUtil.getIssuerKeyIdsAsLongs(signature); + boolean match = false; + for (Long issuer : issuers) { + if (issuer == 0L || issuer == signingKey.getKeyID()) { + match = true; + break; } } + if (!match) { + String[] hex = new String[issuers.size()]; + for (int i = 0; i < hex.length; i++) { + hex[i] = Long.toHexString(issuers.get(i)); + } + throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuers: " + Arrays.toString(hex) + ")"); + } + OpenPgpFingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature); if (fingerprint != null) { if (!fingerprint.equals(signingKeyFingerprint)) { @@ -170,14 +180,14 @@ public abstract class SignatureValidator { @Override public void verify(PGPSignature signature) throws SignatureValidationException { PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.requireFromId(signingKey.getAlgorithm()); - int bitStrength = signingKey.getBitStrength(); - if (bitStrength == -1) { - throw new SignatureValidationException("Cannot determine bit strength of signing key."); - } - if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) { - throw new SignatureValidationException("Signature was made using unacceptable key. " + - algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy."); - } + int bitStrength = signingKey.getBitStrength(); + if (bitStrength == -1) { + throw new SignatureValidationException("Cannot determine bit strength of signing key."); + } + if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) { + throw new SignatureValidationException("Signature was made using unacceptable key. " + + algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy."); + } } }; } diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java index 9ebc03e8..46af9d6c 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/subpackets/SignatureSubpacketsUtil.java @@ -93,6 +93,21 @@ public final class SignatureSubpacketsUtil { return fingerprint; } + public static List getIssuerKeyIds(PGPSignature signature) { + List keyIds = getSignatureSubpackets(signature.getHashedSubPackets(), SignatureSubpacket.issuerKeyId); + keyIds.addAll(getSignatureSubpackets(signature.getUnhashedSubPackets(), SignatureSubpacket.issuerKeyId)); + return keyIds; + } + + public static List getIssuerKeyIdsAsLongs(PGPSignature signature) { + List keyIds = getIssuerKeyIds(signature); + List longs = new ArrayList<>(); + for (IssuerKeyID keyID : keyIds) { + longs.add(keyID.getKeyID()); + } + return longs; + } + /** * Return the issuer key-id subpacket of the signature. * Since this packet is self-authenticating, we expect it to be in the unhashed area, @@ -577,6 +592,16 @@ public final class SignatureSubpacketsUtil { return hashedSubpacket != null ? hashedSubpacket : unhashed(signature, type); } + public static

List

getSignatureSubpackets( + PGPSignatureSubpacketVector vector, SignatureSubpacket type) { + List

subpackets = new ArrayList<>(); + org.bouncycastle.bcpg.SignatureSubpacket[] fromVector = vector.getSubpackets(type.getCode()); + for (org.bouncycastle.bcpg.SignatureSubpacket p : fromVector) { + subpackets.add((P) p); + } + return subpackets; + } + /** * Return the last occurrence of a subpacket type in the given signature subpacket vector. *