1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-12-25 04:17:59 +01:00

WIP: Fix fake signature issuer test

This commit is contained in:
Paul Schaub 2022-04-12 21:08:21 +02:00
parent 218d7becae
commit c39d5a09ce
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
2 changed files with 47 additions and 12 deletions

View file

@ -59,13 +59,23 @@ public abstract class SignatureValidator {
public void verify(PGPSignature signature) throws SignatureValidationException {
OpenPgpFingerprint signingKeyFingerprint = OpenPgpFingerprint.of(signingKey);
Long issuer = SignatureSubpacketsUtil.getIssuerKeyIdAsLong(signature);
if (issuer != null) {
if (issuer != signingKey.getKeyID()) {
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuer: " + Long.toHexString(issuer) + ")");
List<Long> issuers = SignatureSubpacketsUtil.getIssuerKeyIdsAsLongs(signature);
boolean match = false;
for (Long issuer : issuers) {
if (issuer == 0L || issuer == signingKey.getKeyID()) {
match = true;
break;
}
}
if (!match) {
String[] hex = new String[issuers.size()];
for (int i = 0; i < hex.length; i++) {
hex[i] = Long.toHexString(issuers.get(i));
}
throw new SignatureValidationException("Signature was not created by " + signingKeyFingerprint + " (signature issuers: " + Arrays.toString(hex) + ")");
}
OpenPgpFingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpFingerprint(signature);
if (fingerprint != null) {
if (!fingerprint.equals(signingKeyFingerprint)) {
@ -170,14 +180,14 @@ public abstract class SignatureValidator {
@Override
public void verify(PGPSignature signature) throws SignatureValidationException {
PublicKeyAlgorithm algorithm = PublicKeyAlgorithm.requireFromId(signingKey.getAlgorithm());
int bitStrength = signingKey.getBitStrength();
if (bitStrength == -1) {
throw new SignatureValidationException("Cannot determine bit strength of signing key.");
}
if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
throw new SignatureValidationException("Signature was made using unacceptable key. " +
algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy.");
}
int bitStrength = signingKey.getBitStrength();
if (bitStrength == -1) {
throw new SignatureValidationException("Cannot determine bit strength of signing key.");
}
if (!policy.getPublicKeyAlgorithmPolicy().isAcceptable(algorithm, bitStrength)) {
throw new SignatureValidationException("Signature was made using unacceptable key. " +
algorithm + " (" + bitStrength + " bits) is not acceptable according to the public key algorithm policy.");
}
}
};
}

View file

@ -93,6 +93,21 @@ public final class SignatureSubpacketsUtil {
return fingerprint;
}
public static List<IssuerKeyID> getIssuerKeyIds(PGPSignature signature) {
List<IssuerKeyID> keyIds = getSignatureSubpackets(signature.getHashedSubPackets(), SignatureSubpacket.issuerKeyId);
keyIds.addAll(getSignatureSubpackets(signature.getUnhashedSubPackets(), SignatureSubpacket.issuerKeyId));
return keyIds;
}
public static List<Long> getIssuerKeyIdsAsLongs(PGPSignature signature) {
List<IssuerKeyID> keyIds = getIssuerKeyIds(signature);
List<Long> longs = new ArrayList<>();
for (IssuerKeyID keyID : keyIds) {
longs.add(keyID.getKeyID());
}
return longs;
}
/**
* Return the issuer key-id subpacket of the signature.
* Since this packet is self-authenticating, we expect it to be in the unhashed area,
@ -577,6 +592,16 @@ public final class SignatureSubpacketsUtil {
return hashedSubpacket != null ? hashedSubpacket : unhashed(signature, type);
}
public static <P extends org.bouncycastle.bcpg.SignatureSubpacket> List<P> getSignatureSubpackets(
PGPSignatureSubpacketVector vector, SignatureSubpacket type) {
List<P> subpackets = new ArrayList<>();
org.bouncycastle.bcpg.SignatureSubpacket[] fromVector = vector.getSubpackets(type.getCode());
for (org.bouncycastle.bcpg.SignatureSubpacket p : fromVector) {
subpackets.add((P) p);
}
return subpackets;
}
/**
* Return the last occurrence of a subpacket type in the given signature subpacket vector.
*