mirror of
https://github.com/pgpainless/pgpainless.git
synced 2025-01-12 21:26:26 +01:00
WIP: Fix fake signature issuer test
This commit is contained in:
parent
218d7becae
commit
c39d5a09ce
2 changed files with 47 additions and 12 deletions
|
@ -59,13 +59,23 @@ public abstract class SignatureValidator {
|
||||||
public void verify(PGPSignature signature) throws SignatureValidationException {
|
public void verify(PGPSignature signature) throws SignatureValidationException {
|
||||||
OpenPgpFingerprint signingKeyFingerprint = OpenPgpFingerprint.of(signingKey);
|
OpenPgpFingerprint signingKeyFingerprint = OpenPgpFingerprint.of(signingKey);
|
||||||
|
|
||||||
Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
|
List<Long> issuers = SignatureSubpacketsUtil.getIssuerKeyIdsAsLongs(signature);
|
||||||
if (issuer != null) {
|
boolean match = false;
|
||||||
if (issuer != signingKey.getKeyID()) {
|
for (Long issuer : issuers) {
|
||||||
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
|
if (issuer == 0L || issuer == signingKey.getKeyID()) {
|
||||||
|
match = true;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!match) {
|
||||||
|
String[] hex = new String[issuers.size()];
|
||||||
|
for (int i = 0; i < hex.length; i++) {
|
||||||
|
hex[i] = Long.toHexString(issuers.get(i));
|
||||||
|
}
|
||||||
|
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuers: " + Arrays.toString(hex) + ")");
|
||||||
|
}
|
||||||
|
|
||||||
OpenPgpFingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
|
OpenPgpFingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
|
||||||
if (fingerprint != null) {
|
if (fingerprint != null) {
|
||||||
if (!fingerprint.equals(signingKeyFingerprint)) {
|
if (!fingerprint.equals(signingKeyFingerprint)) {
|
||||||
|
@ -170,14 +180,14 @@ public abstract class SignatureValidator {
|
||||||
@Override
|
@Override
|
||||||
public void verify(PGPSignature signature) throws SignatureValidationException {
|
public void verify(PGPSignature signature) throws SignatureValidationException {
|
||||||
PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.requireFromId(signingKey.getAlgorithm());
|
PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.requireFromId(signingKey.getAlgorithm());
|
||||||
int bitStrength = signingKey.getBitStrength();
|
int bitStrength = signingKey.getBitStrength();
|
||||||
if (bitStrength == -1) {
|
if (bitStrength == -1) {
|
||||||
throw new SignatureValidationException("Cannot determine bit strength of signing key.");
|
throw new SignatureValidationException("Cannot determine bit strength of signing key.");
|
||||||
}
|
}
|
||||||
if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
|
if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
|
||||||
throw new SignatureValidationException("Signature was made using unacceptable key. " +
|
throw new SignatureValidationException("Signature was made using unacceptable key. " +
|
||||||
algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy.");
|
algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -93,6 +93,21 @@ public final class SignatureSubpacketsUtil {
|
||||||
return fingerprint;
|
return fingerprint;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static List<IssuerKeyID> getIssuerKeyIds(PGPSignature signature) {
|
||||||
|
List<IssuerKeyID> keyIds = getSignatureSubpackets(signature.getHashedSubPackets(), SignatureSubpacket.issuerKeyId);
|
||||||
|
keyIds.addAll(getSignatureSubpackets(signature.getUnhashedSubPackets(), SignatureSubpacket.issuerKeyId));
|
||||||
|
return keyIds;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static List<Long> getIssuerKeyIdsAsLongs(PGPSignature signature) {
|
||||||
|
List<IssuerKeyID> keyIds = getIssuerKeyIds(signature);
|
||||||
|
List<Long> longs = new ArrayList<>();
|
||||||
|
for (IssuerKeyID keyID : keyIds) {
|
||||||
|
longs.add(keyID.getKeyID());
|
||||||
|
}
|
||||||
|
return longs;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return the issuer key-id subpacket of the signature.
|
* Return the issuer key-id subpacket of the signature.
|
||||||
* Since this packet is self-authenticating, we expect it to be in the unhashed area,
|
* Since this packet is self-authenticating, we expect it to be in the unhashed area,
|
||||||
|
@ -577,6 +592,16 @@ public final class SignatureSubpacketsUtil {
|
||||||
return hashedSubpacket != null ? hashedSubpacket : unhashed(signature, type);
|
return hashedSubpacket != null ? hashedSubpacket : unhashed(signature, type);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static <P extends org.bouncycastle.bcpg.SignatureSubpacket> List<P> getSignatureSubpackets(
|
||||||
|
PGPSignatureSubpacketVector vector, SignatureSubpacket type) {
|
||||||
|
List<P> subpackets = new ArrayList<>();
|
||||||
|
org.bouncycastle.bcpg.SignatureSubpacket[] fromVector = vector.getSubpackets(type.getCode());
|
||||||
|
for (org.bouncycastle.bcpg.SignatureSubpacket p : fromVector) {
|
||||||
|
subpackets.add((P) p);
|
||||||
|
}
|
||||||
|
return subpackets;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Return the last occurrence of a subpacket type in the given signature subpacket vector.
|
* Return the last occurrence of a subpacket type in the given signature subpacket vector.
|
||||||
*
|
*
|
||||||
|
|
Loading…
Reference in a new issue