1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-17 18:02:05 +01:00

Allow modification of keys with custom reference date

Also, bind subkeys using SubkeyBindingSignatureBuilder
This commit is contained in:
Paul Schaub 2022-09-03 12:19:34 +02:00
parent 3030de7f3f
commit c3dc3c9d87
10 changed files with 207 additions and 170 deletions

View file

@ -127,7 +127,11 @@ public final class PGPainless {
* @return builder * @return builder
*/ */
public static SecretKeyRingEditorInterface modifyKeyRing(PGPSecretKeyRing secretKeys) { public static SecretKeyRingEditorInterface modifyKeyRing(PGPSecretKeyRing secretKeys) {
return new SecretKeyRingEditor(secretKeys); return modifyKeyRing(secretKeys, null);
}
public static SecretKeyRingEditorInterface modifyKeyRing(PGPSecretKeyRing secretKeys, Date referenceTime) {
return new SecretKeyRingEditor(secretKeys, referenceTime);
} }
/** /**

View file

@ -85,10 +85,10 @@ public class KeyRingInfo {
* Evaluate the key ring at the provided validation date. * Evaluate the key ring at the provided validation date.
* *
* @param keys key ring * @param keys key ring
* @param validationDate date of validation * @param referenceDate date of validation
*/ */
public KeyRingInfo(PGPKeyRing keys, Date validationDate) { public KeyRingInfo(PGPKeyRing keys, Date referenceDate) {
this(keys, PGPainless.getPolicy(), validationDate); this(keys, PGPainless.getPolicy(), referenceDate);
} }
/** /**
@ -96,12 +96,12 @@ public class KeyRingInfo {
* *
* @param keys key ring * @param keys key ring
* @param policy policy * @param policy policy
* @param validationDate validation date * @param referenceDate validation date
*/ */
public KeyRingInfo(PGPKeyRing keys, Policy policy, Date validationDate) { public KeyRingInfo(PGPKeyRing keys, Policy policy, Date referenceDate) {
this.referenceDate = referenceDate != null ? referenceDate : new Date();
this.keys = keys; this.keys = keys;
this.signatures = new Signatures(keys, validationDate, policy); this.signatures = new Signatures(keys, this.referenceDate, policy);
this.referenceDate = validationDate;
this.primaryUserId = findPrimaryUserId(); this.primaryUserId = findPrimaryUserId();
this.revocationState = findRevocationState(); this.revocationState = findRevocationState();
} }

View file

@ -4,35 +4,17 @@
package org.pgpainless.key.modification.secretkeyring; package org.pgpainless.key.modification.secretkeyring;
import static org.pgpainless.util.CollectionUtils.concat;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.bouncycastle.bcpg.S2K; import org.bouncycastle.bcpg.S2K;
import org.bouncycastle.bcpg.SecretKeyPacket; import org.bouncycastle.bcpg.SecretKeyPacket;
import org.bouncycastle.bcpg.sig.KeyExpirationTime; import org.bouncycastle.bcpg.sig.KeyExpirationTime;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPKeyRingGenerator;
import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor; import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
import org.pgpainless.PGPainless; import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.AlgorithmSuite; import org.pgpainless.algorithm.AlgorithmSuite;
import org.pgpainless.algorithm.CompressionAlgorithm; import org.pgpainless.algorithm.CompressionAlgorithm;
@ -57,26 +39,49 @@ import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvi
import org.pgpainless.key.util.KeyRingUtils; import org.pgpainless.key.util.KeyRingUtils;
import org.pgpainless.key.util.RevocationAttributes; import org.pgpainless.key.util.RevocationAttributes;
import org.pgpainless.signature.builder.DirectKeySelfSignatureBuilder; import org.pgpainless.signature.builder.DirectKeySelfSignatureBuilder;
import org.pgpainless.signature.builder.PrimaryKeyBindingSignatureBuilder;
import org.pgpainless.signature.builder.RevocationSignatureBuilder; import org.pgpainless.signature.builder.RevocationSignatureBuilder;
import org.pgpainless.signature.builder.SelfSignatureBuilder; import org.pgpainless.signature.builder.SelfSignatureBuilder;
import org.pgpainless.signature.builder.SubkeyBindingSignatureBuilder;
import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets; import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets;
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
import org.pgpainless.signature.subpackets.SignatureSubpackets; import org.pgpainless.signature.subpackets.SignatureSubpackets;
import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper; import org.pgpainless.signature.subpackets.SignatureSubpacketsHelper;
import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil; import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
import org.pgpainless.util.CollectionUtils;
import org.pgpainless.util.Passphrase; import org.pgpainless.util.Passphrase;
import org.pgpainless.util.selection.userid.SelectUserId; import org.pgpainless.util.selection.userid.SelectUserId;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import static org.pgpainless.util.CollectionUtils.concat;
public class SecretKeyRingEditor implements SecretKeyRingEditorInterface { public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
private PGPSecretKeyRing secretKeyRing; private PGPSecretKeyRing secretKeyRing;
private final Date referenceTime;
public SecretKeyRingEditor(PGPSecretKeyRing secretKeyRing) { public SecretKeyRingEditor(PGPSecretKeyRing secretKeyRing) {
this(secretKeyRing, null);
}
public SecretKeyRingEditor(PGPSecretKeyRing secretKeyRing, Date referenceTime) {
if (secretKeyRing == null) { if (secretKeyRing == null) {
throw new NullPointerException("SecretKeyRing MUST NOT be null."); throw new NullPointerException("SecretKeyRing MUST NOT be null.");
} }
this.secretKeyRing = secretKeyRing; this.secretKeyRing = secretKeyRing;
this.referenceTime = referenceTime;
} }
@Override @Override
@ -99,7 +104,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
// retain key flags from previous signature // retain key flags from previous signature
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
if (info.isHardRevoked(userId.toString())) { if (info.isHardRevoked(userId.toString())) {
throw new IllegalArgumentException("User-ID " + userId + " is hard revoked and cannot be re-certified."); throw new IllegalArgumentException("User-ID " + userId + " is hard revoked and cannot be re-certified.");
} }
@ -121,6 +126,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
} }
SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector); SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, protector);
if (referenceTime != null) {
builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
}
builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION); builder.setSignatureType(SignatureType.POSITIVE_CERTIFICATION);
// Retain signature subpackets of previous signatures // Retain signature subpackets of previous signatures
@ -145,7 +153,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
// Determine previous key expiration date // Determine previous key expiration date
PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey(); PGPPublicKey primaryKey = secretKeyRing.getSecretKey().getPublicKey();
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
String primaryUserId = info.getPrimaryUserId(); String primaryUserId = info.getPrimaryUserId();
PGPSignature signature = primaryUserId == null ? PGPSignature signature = primaryUserId == null ?
info.getLatestDirectKeySelfSignature() : info.getLatestUserIdCertification(primaryUserId); info.getLatestDirectKeySelfSignature() : info.getLatestUserIdCertification(primaryUserId);
@ -169,7 +177,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
protector); protector);
// unmark previous primary user-ids to be non-primary // unmark previous primary user-ids to be non-primary
info = PGPainless.inspectKeyRing(secretKeyRing); info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
for (String otherUserId : info.getValidAndExpiredUserIds()) { for (String otherUserId : info.getValidAndExpiredUserIds()) {
if (userId.toString().equals(otherUserId)) { if (userId.toString().equals(otherUserId)) {
continue; continue;
@ -227,7 +235,7 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
throw new IllegalArgumentException("New user-id cannot be empty."); throw new IllegalArgumentException("New user-id cannot be empty.");
} }
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
if (!info.isUserIdValid(oldUID)) { if (!info.isUserIdValid(oldUID)) {
throw new NoSuchElementException("Key does not carry user-id '" + oldUID + "', or it is not valid."); throw new NoSuchElementException("Key does not carry user-id '" + oldUID + "', or it is not valid.");
} }
@ -333,46 +341,34 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
} }
PGPSecretKey primaryKey = secretKeyRing.getSecretKey(); PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
PublicKeyAlgorithm signingKeyAlgorithm = PublicKeyAlgorithm.requireFromId(primaryKey.getPublicKey().getAlgorithm());
HashAlgorithm hashAlgorithm = HashAlgorithmNegotiator HashAlgorithm hashAlgorithm = HashAlgorithmNegotiator
.negotiateSignatureHashAlgorithm(PGPainless.getPolicy()) .negotiateSignatureHashAlgorithm(PGPainless.getPolicy())
.negotiateHashAlgorithm(info.getPreferredHashAlgorithms()); .negotiateHashAlgorithm(info.getPreferredHashAlgorithms());
// While we'd like to rely on our own BindingSignatureBuilder implementation, PGPSecretKey secretSubkey = new PGPSecretKey(subkey.getPrivateKey(), subkey.getPublicKey(), ImplementationFactory.getInstance()
// unfortunately we have to use BCs PGPKeyRingGenerator class since there is no public constructor .getV4FingerprintCalculator(), false, subkeyProtector.getEncryptor(subkey.getKeyID()));
// for subkeys. See https://github.com/bcgit/bc-java/pull/1063
PGPKeyRingGenerator ringGenerator = new PGPKeyRingGenerator(
secretKeyRing,
primaryKeyProtector.getDecryptor(primaryKey.getKeyID()),
ImplementationFactory.getInstance().getV4FingerprintCalculator(),
ImplementationFactory.getInstance().getPGPContentSignerBuilder(
signingKeyAlgorithm, hashAlgorithm),
subkeyProtector.getEncryptor(subkey.getKeyID()));
SelfSignatureSubpackets hashedSubpackets = SignatureSubpackets.createHashedSubpackets(primaryKey.getPublicKey()); SubkeyBindingSignatureBuilder skBindingBuilder = new SubkeyBindingSignatureBuilder(primaryKey, primaryKeyProtector, hashAlgorithm);
SelfSignatureSubpackets unhashedSubpackets = SignatureSubpackets.createEmptySubpackets(); if (referenceTime != null) {
hashedSubpackets.setKeyFlags(flags); skBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
}
skBindingBuilder.getHashedSubpackets().setKeyFlags(flags);
if (bindingSignatureCallback != null) { if (subkeyAlgorithm.isSigningCapable()) {
bindingSignatureCallback.modifyHashedSubpackets(hashedSubpackets); PrimaryKeyBindingSignatureBuilder pkBindingBuilder = new PrimaryKeyBindingSignatureBuilder(secretSubkey, subkeyProtector, hashAlgorithm);
bindingSignatureCallback.modifyUnhashedSubpackets(unhashedSubpackets); if (referenceTime != null) {
pkBindingBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
}
PGPSignature pkBinding = pkBindingBuilder.build(primaryKey.getPublicKey());
skBindingBuilder.getHashedSubpackets().addEmbeddedSignature(pkBinding);
} }
boolean isSigningKey = CollectionUtils.contains(flags, KeyFlag.SIGN_DATA) || skBindingBuilder.applyCallback(bindingSignatureCallback);
CollectionUtils.contains(flags, KeyFlag.CERTIFY_OTHER); PGPSignature skBinding = skBindingBuilder.build(secretSubkey.getPublicKey());
PGPContentSignerBuilder primaryKeyBindingSigner = null;
if (isSigningKey) {
primaryKeyBindingSigner = ImplementationFactory.getInstance().getPGPContentSignerBuilder(subkeyAlgorithm, hashAlgorithm);
}
ringGenerator.addSubKey(subkey,
SignatureSubpacketsHelper.toVector((SignatureSubpackets) hashedSubpackets),
SignatureSubpacketsHelper.toVector((SignatureSubpackets) unhashedSubpackets),
primaryKeyBindingSigner);
secretKeyRing = ringGenerator.generateSecretKeyRing();
secretSubkey = KeyRingUtils.secretKeyPlusSignature(secretSubkey, skBinding);
secretKeyRing = KeyRingUtils.keysPlusSecretKey(secretKeyRing, secretSubkey);
return this; return this;
} }
@ -558,6 +554,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
SignatureType.CERTIFICATION_REVOCATION, SignatureType.CERTIFICATION_REVOCATION,
primarySecretKey, primarySecretKey,
protector); protector);
if (referenceTime != null) {
signatureBuilder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
}
signatureBuilder.applyCallback(callback); signatureBuilder.applyCallback(callback);
@ -585,14 +584,14 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
} }
// reissue primary user-id sig // reissue primary user-id sig
String primaryUserId = PGPainless.inspectKeyRing(secretKeyRing).getPossiblyExpiredPrimaryUserId(); String primaryUserId = PGPainless.inspectKeyRing(secretKeyRing, referenceTime).getPossiblyExpiredPrimaryUserId();
if (primaryUserId != null) { if (primaryUserId != null) {
PGPSignature prevUserIdSig = getPreviousUserIdSignatures(primaryUserId); PGPSignature prevUserIdSig = getPreviousUserIdSignatures(primaryUserId);
PGPSignature userIdSig = reissuePrimaryUserIdSig(expiration, secretKeyRingProtector, primaryUserId, prevUserIdSig); PGPSignature userIdSig = reissuePrimaryUserIdSig(expiration, secretKeyRingProtector, primaryUserId, prevUserIdSig);
secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryUserId, userIdSig); secretKeyRing = KeyRingUtils.injectCertification(secretKeyRing, primaryUserId, userIdSig);
} }
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
for (String userId : info.getValidUserIds()) { for (String userId : info.getValidUserIds()) {
if (userId.equals(primaryUserId)) { if (userId.equals(primaryUserId)) {
continue; continue;
@ -618,6 +617,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
PGPSignature prevUserIdSig) PGPSignature prevUserIdSig)
throws PGPException { throws PGPException {
SelfSignatureBuilder builder = new SelfSignatureBuilder(secretKeyRing.getSecretKey(), secretKeyRingProtector, prevUserIdSig); SelfSignatureBuilder builder = new SelfSignatureBuilder(secretKeyRing.getSecretKey(), secretKeyRingProtector, prevUserIdSig);
if (referenceTime != null) {
builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
}
builder.applyCallback(new SelfSignatureSubpackets.Callback() { builder.applyCallback(new SelfSignatureSubpackets.Callback() {
@Override @Override
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@ -638,6 +640,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
PGPPublicKey publicKey = primaryKey.getPublicKey(); PGPPublicKey publicKey = primaryKey.getPublicKey();
SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevUserIdSig); SelfSignatureBuilder builder = new SelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevUserIdSig);
if (referenceTime != null) {
builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
}
builder.applyCallback(new SelfSignatureSubpackets.Callback() { builder.applyCallback(new SelfSignatureSubpackets.Callback() {
@Override @Override
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@ -662,6 +667,9 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
final Date keyCreationTime = publicKey.getCreationTime(); final Date keyCreationTime = publicKey.getCreationTime();
DirectKeySelfSignatureBuilder builder = new DirectKeySelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevDirectKeySig); DirectKeySelfSignatureBuilder builder = new DirectKeySelfSignatureBuilder(primaryKey, secretKeyRingProtector, prevDirectKeySig);
if (referenceTime != null) {
builder.getHashedSubpackets().setSignatureCreationTime(referenceTime);
}
builder.applyCallback(new SelfSignatureSubpackets.Callback() { builder.applyCallback(new SelfSignatureSubpackets.Callback() {
@Override @Override
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@ -677,12 +685,12 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
} }
private PGPSignature getPreviousDirectKeySignature() { private PGPSignature getPreviousDirectKeySignature() {
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
return info.getLatestDirectKeySelfSignature(); return info.getLatestDirectKeySelfSignature();
} }
private PGPSignature getPreviousUserIdSignatures(String userId) { private PGPSignature getPreviousUserIdSignatures(String userId) {
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing, referenceTime);
return info.getLatestUserIdCertification(userId); return info.getLatestUserIdCertification(userId);
} }

View file

@ -10,9 +10,11 @@ import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
import org.pgpainless.algorithm.HashAlgorithm;
import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SignatureType;
import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
import org.pgpainless.signature.subpackets.SignatureSubpackets;
public class PrimaryKeyBindingSignatureBuilder extends AbstractSignatureBuilder<PrimaryKeyBindingSignatureBuilder> { public class PrimaryKeyBindingSignatureBuilder extends AbstractSignatureBuilder<PrimaryKeyBindingSignatureBuilder> {
@ -21,6 +23,15 @@ public class PrimaryKeyBindingSignatureBuilder extends AbstractSignatureBuilder<
super(SignatureType.PRIMARYKEY_BINDING, subkey, subkeyProtector); super(SignatureType.PRIMARYKEY_BINDING, subkey, subkeyProtector);
} }
public PrimaryKeyBindingSignatureBuilder(PGPSecretKey secretSubKey,
SecretKeyRingProtector subkeyProtector,
HashAlgorithm hashAlgorithm)
throws PGPException {
super(SignatureType.PRIMARYKEY_BINDING, secretSubKey, subkeyProtector, hashAlgorithm,
SignatureSubpackets.createHashedSubpackets(secretSubKey.getPublicKey()),
SignatureSubpackets.createEmptySubpackets());
}
public SelfSignatureSubpackets getHashedSubpackets() { public SelfSignatureSubpackets getHashedSubpackets() {
return hashedSubpackets; return hashedSubpackets;
} }

View file

@ -10,9 +10,11 @@ import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPSecretKey; import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
import org.pgpainless.algorithm.HashAlgorithm;
import org.pgpainless.algorithm.SignatureType; import org.pgpainless.algorithm.SignatureType;
import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets; import org.pgpainless.signature.subpackets.SelfSignatureSubpackets;
import org.pgpainless.signature.subpackets.SignatureSubpackets;
public class SubkeyBindingSignatureBuilder extends AbstractSignatureBuilder<SubkeyBindingSignatureBuilder> { public class SubkeyBindingSignatureBuilder extends AbstractSignatureBuilder<SubkeyBindingSignatureBuilder> {
@ -21,6 +23,13 @@ public class SubkeyBindingSignatureBuilder extends AbstractSignatureBuilder<Subk
super(SignatureType.SUBKEY_BINDING, signingKey, protector); super(SignatureType.SUBKEY_BINDING, signingKey, protector);
} }
public SubkeyBindingSignatureBuilder(PGPSecretKey signingKey, SecretKeyRingProtector protector, HashAlgorithm hashAlgorithm)
throws PGPException {
super(SignatureType.SUBKEY_BINDING, signingKey, protector, hashAlgorithm,
SignatureSubpackets.createHashedSubpackets(signingKey.getPublicKey()),
SignatureSubpackets.createEmptySubpackets());
}
public SubkeyBindingSignatureBuilder( public SubkeyBindingSignatureBuilder(
PGPSecretKey signingKey, PGPSecretKey signingKey,
SecretKeyRingProtector protector, SecretKeyRingProtector protector,

View file

@ -16,6 +16,7 @@ import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.Date;
import java.util.List; import java.util.List;
import org.bouncycastle.bcpg.sig.IssuerFingerprint; import org.bouncycastle.bcpg.sig.IssuerFingerprint;
@ -40,7 +41,7 @@ public class KeyGenerationSubpacketsTest {
@Test @Test
public void verifyDefaultSubpacketsForUserIdSignatures() public void verifyDefaultSubpacketsForUserIdSignatures()
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice"); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice");
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
@ -88,10 +89,9 @@ public class KeyGenerationSubpacketsTest {
assertEquals("Bob", info.getPrimaryUserId()); assertEquals("Bob", info.getPrimaryUserId());
// wait one sec so that it is clear that the new certification for alice is the most recent one Date now = new Date();
Thread.sleep(1000); Date t1 = new Date(now.getTime() + 1000 * 60 * 60);
secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
secretKeys = PGPainless.modifyKeyRing(secretKeys)
.addUserId("Alice", new SelfSignatureSubpackets.Callback() { .addUserId("Alice", new SelfSignatureSubpackets.Callback() {
@Override @Override
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
@ -100,7 +100,7 @@ public class KeyGenerationSubpacketsTest {
} }
}, SecretKeyRingProtector.unprotectedKeys()) }, SecretKeyRingProtector.unprotectedKeys())
.done(); .done();
info = PGPainless.inspectKeyRing(secretKeys); info = PGPainless.inspectKeyRing(secretKeys, t1);
assertEquals("Alice", info.getPrimaryUserId()); assertEquals("Alice", info.getPrimaryUserId());
assertEquals(Collections.singleton(HashAlgorithm.SHA1), info.getPreferredHashAlgorithms("Alice")); assertEquals(Collections.singleton(HashAlgorithm.SHA1), info.getPreferredHashAlgorithms("Alice"));
} }

View file

@ -34,7 +34,7 @@ public class ChangeExpirationTest {
@TestTemplate @TestTemplate
@ExtendWith(TestAllImplementations.class) @ExtendWith(TestAllImplementations.class)
public void setExpirationDateAndThenUnsetIt_OnPrimaryKey() public void setExpirationDateAndThenUnsetIt_OnPrimaryKey()
throws PGPException, IOException, InterruptedException { throws PGPException, IOException {
PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing();
KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys);
@ -42,6 +42,7 @@ public class ChangeExpirationTest {
assertNull(sInfo.getPrimaryKeyExpirationDate()); assertNull(sInfo.getPrimaryKeyExpirationDate());
assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint)); assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint));
Date now = new Date();
Date date = DateUtil.parseUTCDate("2020-11-27 16:10:32 UTC"); Date date = DateUtil.parseUTCDate("2020-11-27 16:10:32 UTC");
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys)
.setExpirationDate(date, new UnprotectedKeysProtector()).done(); .setExpirationDate(date, new UnprotectedKeysProtector()).done();
@ -51,15 +52,11 @@ public class ChangeExpirationTest {
// subkey unchanged // subkey unchanged
assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint)); assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint));
// We need to wait for one second as OpenPGP signatures have coarse-grained (up to a second) Date t1 = new Date(now.getTime() + 1000 * 60 * 60);
// accuracy. Creating two signatures within a short amount of time will make the second one secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
// "invisible"
Thread.sleep(1100);
secretKeys = PGPainless.modifyKeyRing(secretKeys)
.setExpirationDate(null, new UnprotectedKeysProtector()).done(); .setExpirationDate(null, new UnprotectedKeysProtector()).done();
sInfo = PGPainless.inspectKeyRing(secretKeys); sInfo = PGPainless.inspectKeyRing(secretKeys, t1);
assertNull(sInfo.getPrimaryKeyExpirationDate()); assertNull(sInfo.getPrimaryKeyExpirationDate());
assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint)); assertNull(sInfo.getSubkeyExpirationDate(subKeyFingerprint));
} }
@ -67,32 +64,30 @@ public class ChangeExpirationTest {
@TestTemplate @TestTemplate
@ExtendWith(TestAllImplementations.class) @ExtendWith(TestAllImplementations.class)
public void setExpirationDateAndThenUnsetIt_OnSubkey() public void setExpirationDateAndThenUnsetIt_OnSubkey()
throws PGPException, IOException, InterruptedException { throws PGPException, IOException {
PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing(); PGPSecretKeyRing secretKeys = TestKeys.getEmilSecretKeyRing();
KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo sInfo = PGPainless.inspectKeyRing(secretKeys);
assertNull(sInfo.getPrimaryKeyExpirationDate()); assertNull(sInfo.getPrimaryKeyExpirationDate());
Date now = new Date();
Calendar calendar = Calendar.getInstance(); Calendar calendar = Calendar.getInstance();
calendar.setTime(new Date()); calendar.setTime(now);
calendar.add(Calendar.DATE, 5); calendar.add(Calendar.DATE, 5);
Date expiration = calendar.getTime(); Date expiration = calendar.getTime(); // in 5 days
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys)
.setExpirationDate(expiration, new UnprotectedKeysProtector()).done(); .setExpirationDate(expiration, new UnprotectedKeysProtector()).done();
sInfo = PGPainless.inspectKeyRing(secretKeys); sInfo = PGPainless.inspectKeyRing(secretKeys);
assertNotNull(sInfo.getPrimaryKeyExpirationDate()); assertNotNull(sInfo.getPrimaryKeyExpirationDate());
JUtils.assertDateEquals(expiration, sInfo.getPrimaryKeyExpirationDate()); JUtils.assertDateEquals(expiration, sInfo.getPrimaryKeyExpirationDate());
// We need to wait for one second as OpenPGP signatures have coarse-grained (up to a second) Date t1 = new Date(now.getTime() + 1000 * 60 * 60);
// accuracy. Creating two signatures within a short amount of time will make the second one secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
// "invisible"
Thread.sleep(1100);
secretKeys = PGPainless.modifyKeyRing(secretKeys)
.setExpirationDate(null, new UnprotectedKeysProtector()).done(); .setExpirationDate(null, new UnprotectedKeysProtector()).done();
sInfo = PGPainless.inspectKeyRing(secretKeys); sInfo = PGPainless.inspectKeyRing(secretKeys, t1);
assertNull(sInfo.getPrimaryKeyExpirationDate()); assertNull(sInfo.getPrimaryKeyExpirationDate());
} }
@ -118,7 +113,7 @@ public class ChangeExpirationTest {
.done(); .done();
Date actualExpiration = PGPainless.inspectKeyRing(secretKeys) Date actualExpiration = PGPainless.inspectKeyRing(secretKeys)
.getPrimaryKeyExpirationDate(); .getPrimaryKeyExpirationDate();
JUtils.assertDateEquals(notSoFarAwayExpiration, actualExpiration); JUtils.assertDateEquals(notSoFarAwayExpiration, actualExpiration);
} }
} }

View file

@ -4,15 +4,6 @@
package org.pgpainless.key.modification; package org.pgpainless.key.modification;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.Date;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSignature; import org.bouncycastle.openpgp.PGPSignature;
@ -21,54 +12,68 @@ import org.pgpainless.PGPainless;
import org.pgpainless.key.info.KeyRingInfo; import org.pgpainless.key.info.KeyRingInfo;
import org.pgpainless.key.protection.SecretKeyRingProtector; import org.pgpainless.key.protection.SecretKeyRingProtector;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.Date;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
public class ChangePrimaryUserIdAndExpirationDatesTest { public class ChangePrimaryUserIdAndExpirationDatesTest {
private static final long millisInHour = 1000 * 60 * 60;
@Test @Test
public void generateA_primaryB_revokeA_cantSecondaryA() public void generateA_primaryB_revokeA_cantSecondaryA()
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
.modernKeyRing("A"); .modernKeyRing("A");
SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); Date now = new Date();
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys, now);
assertFalse(info.isHardRevoked("A")); assertFalse(info.isHardRevoked("A"));
assertFalse(info.isHardRevoked("B")); assertFalse(info.isHardRevoked("B"));
assertIsPrimaryUserId("A", info); assertIsPrimaryUserId("A", info);
assertIsNotValid("B", info); assertIsNotValid("B", info);
assertIsNotPrimaryUserId("B", info); assertIsNotPrimaryUserId("B", info);
Thread.sleep(1000); // One hour later
Date oneHourLater = new Date(now.getTime() + millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, oneHourLater)
.addPrimaryUserId("B", protector) .addPrimaryUserId("B", protector)
.done(); .done();
info = PGPainless.inspectKeyRing(secretKeys); info = PGPainless.inspectKeyRing(secretKeys, oneHourLater);
assertIsPrimaryUserId("B", info); assertIsPrimaryUserId("B", info);
assertIsNotPrimaryUserId("A", info); assertIsNotPrimaryUserId("A", info);
Thread.sleep(1000); // Two hours later
Date twoHoursLater = new Date(now.getTime() + 2 * millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, twoHoursLater)
.revokeUserId("A", protector) // hard revoke A .revokeUserId("A", protector) // hard revoke A
.done(); .done();
info = PGPainless.inspectKeyRing(secretKeys); info = PGPainless.inspectKeyRing(secretKeys, twoHoursLater);
assertTrue(info.isHardRevoked("A")); assertTrue(info.isHardRevoked("A"));
assertFalse(info.isHardRevoked("B")); assertFalse(info.isHardRevoked("B"));
assertIsPrimaryUserId("B", info); assertIsPrimaryUserId("B", info);
assertIsNotValid("A", info); assertIsNotValid("A", info);
Thread.sleep(1000); // Three hours later
Date threeHoursLater = new Date(now.getTime() + 3 * millisInHour);
PGPSecretKeyRing finalSecretKeys = secretKeys; PGPSecretKeyRing finalSecretKeys = secretKeys;
assertThrows(IllegalArgumentException.class, () -> assertThrows(IllegalArgumentException.class, () ->
PGPainless.modifyKeyRing(finalSecretKeys).addUserId("A", protector)); PGPainless.modifyKeyRing(finalSecretKeys, threeHoursLater).addUserId("A", protector));
} }
@Test @Test
public void generateA_primaryExpire_isExpired() public void generateA_primaryExpire_isExpired()
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
.modernKeyRing("A"); .modernKeyRing("A");
SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
@ -76,71 +81,77 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
assertIsPrimaryUserId("A", info); assertIsPrimaryUserId("A", info);
Thread.sleep(1000); Date now = new Date();
Date later = new Date(now.getTime() + millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, now)
.setExpirationDate(new Date(), protector) // expire the whole key .setExpirationDate(later, protector) // expire the whole key
.done(); .done();
Thread.sleep(1000); Date evenLater = new Date(now.getTime() + 2 * millisInHour);
info = PGPainless.inspectKeyRing(secretKeys); info = PGPainless.inspectKeyRing(secretKeys, evenLater);
assertFalse(info.isUserIdValid("A")); // is expired by now assertFalse(info.isUserIdValid("A")); // is expired by now
} }
@Test @Test
public void generateA_primaryB_primaryExpire_bIsStillPrimary() public void generateA_primaryB_primaryExpire_bIsStillPrimary()
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
.modernKeyRing("A"); .modernKeyRing("A");
SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
Date now = new Date();
// Generate key with primary user-id A
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
assertIsPrimaryUserId("A", info); assertIsPrimaryUserId("A", info);
Thread.sleep(1000); // later set primary user-id to B
Date t1 = new Date(now.getTime() + millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
.addPrimaryUserId("B", protector) .addPrimaryUserId("B", protector)
.done(); .done();
info = PGPainless.inspectKeyRing(secretKeys); info = PGPainless.inspectKeyRing(secretKeys, t1);
assertIsPrimaryUserId("B", info); assertIsPrimaryUserId("B", info);
assertIsNotPrimaryUserId("A", info); assertIsNotPrimaryUserId("A", info);
Thread.sleep(1000); // Even later expire the whole key
Date t2 = new Date(now.getTime() + 2 * millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys) Date expiration = new Date(now.getTime() + 10 * millisInHour);
.setExpirationDate(new Date(new Date().getTime() + 1000), protector) // expire the whole key in 1 sec secretKeys = PGPainless.modifyKeyRing(secretKeys, t2)
.setExpirationDate(expiration, protector) // expire the whole key in 1 hour
.done(); .done();
info = PGPainless.inspectKeyRing(secretKeys); Date t3 = new Date(now.getTime() + 3 * millisInHour);
info = PGPainless.inspectKeyRing(secretKeys, t3);
assertIsValid("A", info); assertIsValid("A", info);
assertIsValid("B", info); assertIsValid("B", info);
assertIsPrimaryUserId("B", info); assertIsPrimaryUserId("B", info);
assertIsNotPrimaryUserId("A", info); assertIsNotPrimaryUserId("A", info);
Thread.sleep(2000); info = PGPainless.inspectKeyRing(secretKeys, expiration);
info = PGPainless.inspectKeyRing(secretKeys);
assertIsPrimaryUserId("B", info); // B is still primary, even though assertIsPrimaryUserId("B", info); // B is still primary, even though
assertFalse(info.isUserIdValid("A")); // key is expired by now assertFalse(info.isUserIdValid("A")); // key is expired by now
assertFalse(info.isUserIdValid("B")); assertFalse(info.isUserIdValid("B"));
} }
@Test @Test
public void generateA_expire_certify() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { public void generateA_expire_certify()
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A"); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A");
SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
secretKeys = PGPainless.modifyKeyRing(secretKeys) Date now = new Date();
.setExpirationDate(new Date(new Date().getTime() + 1000), protector) Date t1 = new Date(now.getTime() + millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys, now)
.setExpirationDate(t1, protector)
.done(); .done();
Thread.sleep(2000); Date t2 = new Date(now.getTime() + 2 * millisInHour);
Date t4 = new Date(now.getTime() + 4 * millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, t2)
.setExpirationDate(new Date(new Date().getTime() + 2000), protector) .setExpirationDate(t4, protector)
.done(); .done();
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
@ -150,49 +161,48 @@ public class ChangePrimaryUserIdAndExpirationDatesTest {
@Test @Test
public void generateA_expire_primaryB_expire_isPrimaryB() public void generateA_expire_primaryB_expire_isPrimaryB()
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A"); PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("A");
SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys(); SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
Thread.sleep(1000); Date now = new Date();
Date t1 = new Date(now.getTime() + millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
.setExpirationDate(new Date(), protector) .setExpirationDate(t1, protector)
.done(); .done();
Thread.sleep(2000); Date t2 = new Date(now.getTime() + 2 * millisInHour);
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys, t2);
assertIsPrimaryUserId("A", info); assertIsPrimaryUserId("A", info);
assertIsNotValid("A", info); // A is expired assertIsNotValid("A", info); // A is expired
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, t2)
.addPrimaryUserId("B", protector) .addPrimaryUserId("B", protector)
.done(); .done();
info = PGPainless.inspectKeyRing(secretKeys); Date t3 = new Date(now.getTime() + 3 * millisInHour);
info = PGPainless.inspectKeyRing(secretKeys, t3);
assertIsPrimaryUserId("B", info); assertIsPrimaryUserId("B", info);
assertIsNotValid("B", info); // A and B are still expired assertIsNotValid("B", info); // A and B are still expired
assertIsNotValid("A", info); assertIsNotValid("A", info);
Thread.sleep(1000); Date t4 = new Date(now.getTime() + 4 * millisInHour);
Date t5 = new Date(now.getTime() + 5 * millisInHour);
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, t3)
.setExpirationDate(new Date(new Date().getTime() + 10000), protector) .setExpirationDate(t5, protector)
.done(); .done();
Thread.sleep(1000); info = PGPainless.inspectKeyRing(secretKeys, t4);
info = PGPainless.inspectKeyRing(secretKeys);
assertIsValid("B", info); assertIsValid("B", info);
assertIsValid("A", info); // A got re-validated when changing exp date assertIsValid("A", info); // A got re-validated when changing exp date
assertIsPrimaryUserId("B", info); assertIsPrimaryUserId("B", info);
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, t4)
.addUserId("A", protector) // re-certify A as non-primary user-id .addUserId("A", protector) // re-certify A as non-primary user-id
.done(); .done();
info = PGPainless.inspectKeyRing(secretKeys); info = PGPainless.inspectKeyRing(secretKeys, t4);
assertIsValid("B", info); assertIsValid("B", info);
assertIsValid("A", info); assertIsValid("A", info);

View file

@ -10,7 +10,6 @@ import static org.junit.jupiter.api.Assertions.assertNotEquals;
import java.security.InvalidAlgorithmParameterException; import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Calendar;
import java.util.Date; import java.util.Date;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
@ -23,12 +22,14 @@ import org.pgpainless.PGPainless;
import org.pgpainless.key.protection.UnprotectedKeysProtector; import org.pgpainless.key.protection.UnprotectedKeysProtector;
import org.pgpainless.util.TestAllImplementations; import org.pgpainless.util.TestAllImplementations;
public class OldSignatureSubpacketsArePreservedOnNewSig { public class OldSignatureSubpacketsArePreservedOnNewSigTest {
private static final long millisInHour = 1000 * 60 * 60;
@TestTemplate @TestTemplate
@ExtendWith(TestAllImplementations.class) @ExtendWith(TestAllImplementations.class)
public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig() public void verifyOldSignatureSubpacketsArePreservedOnNewExpirationDateSig()
throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException { throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
.simpleEcKeyRing("Alice <alice@wonderland.lit>"); .simpleEcKeyRing("Alice <alice@wonderland.lit>");
@ -37,17 +38,14 @@ public class OldSignatureSubpacketsArePreservedOnNewSig {
assertEquals(0, oldPackets.getKeyExpirationTime()); assertEquals(0, oldPackets.getKeyExpirationTime());
Thread.sleep(1000);
Date now = new Date(); Date now = new Date();
Calendar calendar = Calendar.getInstance(); Date t1 = new Date(now.getTime() + millisInHour);
calendar.setTime(now); Date expiration = new Date(now.getTime() + 5 * 24 * millisInHour); // in 5 days
calendar.add(Calendar.DATE, 5);
Date expiration = calendar.getTime(); // in 5 days
secretKeys = PGPainless.modifyKeyRing(secretKeys) secretKeys = PGPainless.modifyKeyRing(secretKeys, t1)
.setExpirationDate(expiration, new UnprotectedKeysProtector()) .setExpirationDate(expiration, new UnprotectedKeysProtector())
.done(); .done();
PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys).getLatestUserIdCertification("Alice <alice@wonderland.lit>"); PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys, t1).getLatestUserIdCertification("Alice <alice@wonderland.lit>");
PGPSignatureSubpacketVector newPackets = newSignature.getHashedSubPackets(); PGPSignatureSubpacketVector newPackets = newSignature.getHashedSubPackets();
assertNotEquals(0, newPackets.getKeyExpirationTime()); assertNotEquals(0, newPackets.getKeyExpirationTime());

View file

@ -11,6 +11,7 @@ import static org.junit.jupiter.api.Assertions.assertNotNull;
import java.security.InvalidAlgorithmParameterException; import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Collections; import java.util.Collections;
import java.util.Date;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPSecretKeyRing; import org.bouncycastle.openpgp.PGPSecretKeyRing;
@ -32,7 +33,7 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
public class ThirdPartyDirectKeySignatureBuilderTest { public class ThirdPartyDirectKeySignatureBuilderTest {
@Test @Test
public void testDirectKeySignatureBuilding() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, InterruptedException { public void testDirectKeySignatureBuilding() throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
.modernKeyRing("Alice"); .modernKeyRing("Alice");
@ -40,9 +41,12 @@ public class ThirdPartyDirectKeySignatureBuilderTest {
secretKeys.getSecretKey(), secretKeys.getSecretKey(),
SecretKeyRingProtector.unprotectedKeys()); SecretKeyRingProtector.unprotectedKeys());
Date now = new Date();
Date t1 = new Date(now.getTime() + 1000 * 60 * 60);
dsb.applyCallback(new SelfSignatureSubpackets.Callback() { dsb.applyCallback(new SelfSignatureSubpackets.Callback() {
@Override @Override
public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) { public void modifyHashedSubpackets(SelfSignatureSubpackets hashedSubpackets) {
hashedSubpackets.setSignatureCreationTime(t1);
hashedSubpackets.setKeyFlags(KeyFlag.CERTIFY_OTHER); hashedSubpackets.setKeyFlags(KeyFlag.CERTIFY_OTHER);
hashedSubpackets.setPreferredHashAlgorithms(HashAlgorithm.SHA512); hashedSubpackets.setPreferredHashAlgorithms(HashAlgorithm.SHA512);
hashedSubpackets.setPreferredCompressionAlgorithms(CompressionAlgorithm.ZIP); hashedSubpackets.setPreferredCompressionAlgorithms(CompressionAlgorithm.ZIP);
@ -51,13 +55,11 @@ public class ThirdPartyDirectKeySignatureBuilderTest {
} }
}); });
Thread.sleep(1000);
PGPSignature directKeySig = dsb.build(secretKeys.getPublicKey()); PGPSignature directKeySig = dsb.build(secretKeys.getPublicKey());
assertNotNull(directKeySig); assertNotNull(directKeySig);
secretKeys = KeyRingUtils.injectCertification(secretKeys, secretKeys.getPublicKey(), directKeySig); secretKeys = KeyRingUtils.injectCertification(secretKeys, secretKeys.getPublicKey(), directKeySig);
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys); KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys, t1);
PGPSignature signature = info.getLatestDirectKeySelfSignature(); PGPSignature signature = info.getLatestDirectKeySelfSignature();
assertNotNull(signature); assertNotNull(signature);