mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-11-27 06:42:05 +01:00
Test and implement revocation of single userIDs
This commit is contained in:
parent
c4d670821f
commit
ee1f90e850
7 changed files with 313 additions and 58 deletions
|
@ -177,8 +177,12 @@ public class KeyRingInfo {
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean isUserIdValid(String userId) {
|
public boolean isUserIdValid(String userId) {
|
||||||
|
return isUserIdValid(getKeyId(), userId);
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean isUserIdValid(long keyId, String userId) {
|
||||||
try {
|
try {
|
||||||
return SignatureUtils.isUserIdValid(getPublicKey(), userId);
|
return SignatureUtils.isUserIdValid(getPublicKey(keyId), userId);
|
||||||
} catch (PGPException e) {
|
} catch (PGPException e) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -308,17 +312,9 @@ public class KeyRingInfo {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
public List<PGPSignature> getSelfSignatures() {
|
public List<PGPSignature> getSelfSignaturesOnKey(long subkeyId) {
|
||||||
return getSelfSignatures(new OpenPgpV4Fingerprint(getPublicKey()));
|
|
||||||
}
|
|
||||||
|
|
||||||
public List<PGPSignature> getSelfSignatures(OpenPgpV4Fingerprint subkeyFingerprint) {
|
|
||||||
return getSelfSignatures(subkeyFingerprint.getKeyId());
|
|
||||||
}
|
|
||||||
|
|
||||||
public List<PGPSignature> getSelfSignatures(long subkeyId) {
|
|
||||||
PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subkeyId);
|
PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subkeyId);
|
||||||
Iterator<PGPSignature> it = publicKey.getSignaturesForKeyID(subkeyId);
|
Iterator<PGPSignature> it = publicKey.getSignaturesForKeyID(keys.getPublicKey().getKeyID());
|
||||||
List<PGPSignature> signatures = new ArrayList<>();
|
List<PGPSignature> signatures = new ArrayList<>();
|
||||||
while (it.hasNext()) {
|
while (it.hasNext()) {
|
||||||
signatures.add(it.next());
|
signatures.add(it.next());
|
||||||
|
@ -327,25 +323,25 @@ public class KeyRingInfo {
|
||||||
return signatures;
|
return signatures;
|
||||||
}
|
}
|
||||||
|
|
||||||
public PGPSignature getLatestValidSelfSignature() throws PGPException {
|
public PGPSignature getLatestValidSelfSignatureOnKey() throws PGPException {
|
||||||
return getLatestValidSelfSignature(new OpenPgpV4Fingerprint(getPublicKey()));
|
return getLatestValidSelfSignatureOnKey(new OpenPgpV4Fingerprint(getPublicKey()));
|
||||||
}
|
}
|
||||||
|
|
||||||
public PGPSignature getLatestValidSelfSignature(OpenPgpV4Fingerprint fingerprint) throws PGPException {
|
public PGPSignature getLatestValidSelfSignatureOnKey(OpenPgpV4Fingerprint fingerprint) throws PGPException {
|
||||||
return getLatestValidSelfSignature(fingerprint.getKeyId());
|
return getLatestValidSelfSignatureOnKey(fingerprint.getKeyId());
|
||||||
}
|
}
|
||||||
|
|
||||||
public PGPSignature getLatestValidSelfSignature(long subkeyId) throws PGPException {
|
public PGPSignature getLatestValidSelfSignatureOnKey(long subkeyId) throws PGPException {
|
||||||
PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subkeyId);
|
PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subkeyId);
|
||||||
List<PGPSignature> signatures = getSelfSignatures(subkeyId);
|
List<PGPSignature> signatures = getSelfSignaturesOnKey(keys.getPublicKey().getKeyID());
|
||||||
return getLatestValidSignature(publicKey, signatures, keys);
|
return getLatestValidSignature(publicKey, signatures, keys);
|
||||||
}
|
}
|
||||||
|
|
||||||
public List<PGPSignature> getBindingSignatures(OpenPgpV4Fingerprint fingerprint) {
|
public List<PGPSignature> getBindingSignaturesOnKey(OpenPgpV4Fingerprint fingerprint) {
|
||||||
return getBindingSignatures(fingerprint.getKeyId());
|
return getBindingSignaturesOnKey(fingerprint.getKeyId());
|
||||||
}
|
}
|
||||||
|
|
||||||
public List<PGPSignature> getBindingSignatures(long subkeyId) {
|
public List<PGPSignature> getBindingSignaturesOnKey(long subkeyId) {
|
||||||
if (subkeyId == getKeyId()) {
|
if (subkeyId == getKeyId()) {
|
||||||
return Collections.emptyList();
|
return Collections.emptyList();
|
||||||
}
|
}
|
||||||
|
@ -353,23 +349,19 @@ public class KeyRingInfo {
|
||||||
return SignatureUtils.getBindingSignatures(publicKey, getKeyId());
|
return SignatureUtils.getBindingSignatures(publicKey, getKeyId());
|
||||||
}
|
}
|
||||||
|
|
||||||
public PGPSignature getLatestValidBindingSignature(long subKeyID) throws PGPException {
|
public PGPSignature getLatestValidBindingSignatureOnKey(long subKeyID) throws PGPException {
|
||||||
PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subKeyID);
|
PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subKeyID);
|
||||||
List<PGPSignature> signatures = getBindingSignatures(subKeyID);
|
List<PGPSignature> signatures = getBindingSignaturesOnKey(subKeyID);
|
||||||
return getLatestValidSignature(publicKey, signatures, keys);
|
return getLatestValidSignature(publicKey, signatures, keys);
|
||||||
}
|
}
|
||||||
|
|
||||||
public PGPSignature getLatestValidSelfOrBindingSignature() throws PGPException {
|
public PGPSignature getLatestValidSelfOrBindingSignatureOnKey(OpenPgpV4Fingerprint fingerprint) throws PGPException {
|
||||||
return getLatestValidSelfOrBindingSignature(new OpenPgpV4Fingerprint(getPublicKey()));
|
return getLatestValidSelfOrBindingSignatureOnKey(fingerprint.getKeyId());
|
||||||
}
|
}
|
||||||
|
|
||||||
public PGPSignature getLatestValidSelfOrBindingSignature(OpenPgpV4Fingerprint fingerprint) throws PGPException {
|
public PGPSignature getLatestValidSelfOrBindingSignatureOnKey(long subKeyId) throws PGPException {
|
||||||
return getLatestValidSelfOrBindingSignature(fingerprint.getKeyId());
|
PGPSignature self = getLatestValidSelfSignatureOnKey(subKeyId);
|
||||||
}
|
PGPSignature binding = getLatestValidBindingSignatureOnKey(subKeyId);
|
||||||
|
|
||||||
public PGPSignature getLatestValidSelfOrBindingSignature(long subKeyId) throws PGPException {
|
|
||||||
PGPSignature self = getLatestValidSelfSignature(subKeyId);
|
|
||||||
PGPSignature binding = getLatestValidBindingSignature(subKeyId);
|
|
||||||
if (self == null) {
|
if (self == null) {
|
||||||
return binding;
|
return binding;
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,6 +45,7 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
|
||||||
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
|
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
|
||||||
import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
|
import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
|
||||||
import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
|
import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
|
||||||
|
import org.pgpainless.PGPainless;
|
||||||
import org.pgpainless.algorithm.HashAlgorithm;
|
import org.pgpainless.algorithm.HashAlgorithm;
|
||||||
import org.pgpainless.algorithm.SignatureType;
|
import org.pgpainless.algorithm.SignatureType;
|
||||||
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
|
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
|
||||||
|
@ -52,6 +53,7 @@ import org.pgpainless.implementation.ImplementationFactory;
|
||||||
import org.pgpainless.key.OpenPgpV4Fingerprint;
|
import org.pgpainless.key.OpenPgpV4Fingerprint;
|
||||||
import org.pgpainless.key.generation.KeyRingBuilder;
|
import org.pgpainless.key.generation.KeyRingBuilder;
|
||||||
import org.pgpainless.key.generation.KeySpec;
|
import org.pgpainless.key.generation.KeySpec;
|
||||||
|
import org.pgpainless.key.info.KeyRingInfo;
|
||||||
import org.pgpainless.key.protection.KeyRingProtectionSettings;
|
import org.pgpainless.key.protection.KeyRingProtectionSettings;
|
||||||
import org.pgpainless.key.protection.PassphraseMapKeyRingProtector;
|
import org.pgpainless.key.protection.PassphraseMapKeyRingProtector;
|
||||||
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
|
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
|
||||||
|
@ -288,6 +290,96 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKeyRingEditorInterface revokeUserIdOnAllSubkeys(String userId,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector,
|
||||||
|
RevocationAttributes revocationAttributes)
|
||||||
|
throws PGPException {
|
||||||
|
Iterator<PGPPublicKey> iterator = secretKeyRing.getPublicKeys();
|
||||||
|
while (iterator.hasNext()) {
|
||||||
|
PGPPublicKey publicKey = iterator.next();
|
||||||
|
try {
|
||||||
|
revokeUserId(userId, new OpenPgpV4Fingerprint(publicKey), secretKeyRingProtector, revocationAttributes);
|
||||||
|
} catch (IllegalArgumentException | NoSuchElementException e) {
|
||||||
|
// skip
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKeyRingEditorInterface revokeUserId(String userId,
|
||||||
|
OpenPgpV4Fingerprint subkeyFingerprint,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector,
|
||||||
|
RevocationAttributes revocationAttributes)
|
||||||
|
throws PGPException {
|
||||||
|
PGPPublicKey publicKey = secretKeyRing.getPublicKey(subkeyFingerprint.getKeyId());
|
||||||
|
if (publicKey == null) {
|
||||||
|
throw new IllegalArgumentException("Key ring does not carry a public key with fingerprint " + subkeyFingerprint);
|
||||||
|
}
|
||||||
|
|
||||||
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
|
||||||
|
if (!info.getUserIds().contains(userId)) {
|
||||||
|
throw new NoSuchElementException("Key " + subkeyFingerprint + " does not carry userID '" + userId + '\'');
|
||||||
|
}
|
||||||
|
|
||||||
|
return doRevokeUserId(userId, subkeyFingerprint.getKeyId(), secretKeyRingProtector, revocationAttributes);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKeyRingEditorInterface revokeUserId(String userId,
|
||||||
|
long subkeyId,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector,
|
||||||
|
RevocationAttributes revocationAttributes)
|
||||||
|
throws PGPException {
|
||||||
|
PGPPublicKey publicKey = secretKeyRing.getPublicKey(subkeyId);
|
||||||
|
if (publicKey == null) {
|
||||||
|
throw new IllegalArgumentException("Key ring does not carry a public key with ID " + Long.toHexString(subkeyId));
|
||||||
|
}
|
||||||
|
|
||||||
|
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
|
||||||
|
if (!info.getUserIds().contains(userId)) {
|
||||||
|
throw new NoSuchElementException("Key " + Long.toHexString(subkeyId) + " does not carry userID '" + userId + '\'');
|
||||||
|
}
|
||||||
|
|
||||||
|
return doRevokeUserId(userId, subkeyId, secretKeyRingProtector, revocationAttributes);
|
||||||
|
}
|
||||||
|
|
||||||
|
private SecretKeyRingEditorInterface doRevokeUserId(String userId,
|
||||||
|
long subKeyId,
|
||||||
|
SecretKeyRingProtector protector,
|
||||||
|
RevocationAttributes revocationAttributes) throws PGPException {
|
||||||
|
PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subKeyId);
|
||||||
|
PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
|
||||||
|
PGPPrivateKey privateKey = unlockSecretKey(primaryKey, protector);
|
||||||
|
|
||||||
|
PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator();
|
||||||
|
subpacketGenerator.setSignatureCreationTime(false, new Date());
|
||||||
|
subpacketGenerator.setRevocable(false, false);
|
||||||
|
subpacketGenerator.setIssuerFingerprint(false, primaryKey);
|
||||||
|
if (revocationAttributes != null) {
|
||||||
|
RevocationAttributes.Reason reason = revocationAttributes.getReason();
|
||||||
|
if (reason != RevocationAttributes.Reason.NO_REASON
|
||||||
|
&& reason != RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) {
|
||||||
|
throw new IllegalArgumentException("Revocation reason must either be NO_REASON or USER_ID_NO_LONGER_VALID");
|
||||||
|
}
|
||||||
|
subpacketGenerator.setRevocationReason(false, revocationAttributes.getReason().code(), revocationAttributes.getDescription());
|
||||||
|
}
|
||||||
|
|
||||||
|
PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(primaryKey);
|
||||||
|
signatureGenerator.setHashedSubpackets(subpacketGenerator.generate());
|
||||||
|
signatureGenerator.init(SignatureType.CERTIFICATION_REVOCATION.getCode(), privateKey);
|
||||||
|
|
||||||
|
PGPSignature revocationSignature = signatureGenerator.generateCertification(userId, publicKey);
|
||||||
|
publicKey = PGPPublicKey.addCertification(publicKey, userId, revocationSignature);
|
||||||
|
|
||||||
|
PGPPublicKeyRing publicKeyRing = KeyRingUtils.publicKeyRingFrom(secretKeyRing);
|
||||||
|
publicKeyRing = PGPPublicKeyRing.insertPublicKey(publicKeyRing, publicKey);
|
||||||
|
secretKeyRing = PGPSecretKeyRing.replacePublicKeys(secretKeyRing, publicKeyRing);
|
||||||
|
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public SecretKeyRingEditorInterface setExpirationDate(Date expiration,
|
public SecretKeyRingEditorInterface setExpirationDate(Date expiration,
|
||||||
SecretKeyRingProtector secretKeyRingProtector)
|
SecretKeyRingProtector secretKeyRingProtector)
|
||||||
|
|
|
@ -198,6 +198,101 @@ public interface SecretKeyRingEditorInterface {
|
||||||
RevocationAttributes revocationAttributes)
|
RevocationAttributes revocationAttributes)
|
||||||
throws PGPException;
|
throws PGPException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revoke the given userID on any key in the key ring that is currently carrying the userID.
|
||||||
|
*
|
||||||
|
* @param userId userId to revoke
|
||||||
|
* @param secretKeyRingProtector protector to unlock the primary key
|
||||||
|
* @return the builder
|
||||||
|
*/
|
||||||
|
default SecretKeyRingEditorInterface revokeUserIdOnAllSubkeys(String userId,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector)
|
||||||
|
throws PGPException {
|
||||||
|
return revokeUserIdOnAllSubkeys(userId, secretKeyRingProtector, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revoke the given userID on any key in the key ring that is currently carrying the userID.
|
||||||
|
*
|
||||||
|
* @param userId userId to revoke
|
||||||
|
* @param secretKeyRingProtector protector to unlock the primary key
|
||||||
|
* @param revocationAttributes reason for the revocation
|
||||||
|
* @return the builder
|
||||||
|
*/
|
||||||
|
SecretKeyRingEditorInterface revokeUserIdOnAllSubkeys(String userId,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector,
|
||||||
|
RevocationAttributes revocationAttributes)
|
||||||
|
throws PGPException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revoke the given userID on the key that belongs to the given fingerprint.
|
||||||
|
*
|
||||||
|
* @param userId userId to revoke
|
||||||
|
* @param subkeyFingerprint fingerprint of the key on which the userID should be revoked
|
||||||
|
* @param secretKeyRingProtector protector to unlock the primary key
|
||||||
|
* @return the builder
|
||||||
|
*/
|
||||||
|
default SecretKeyRingEditorInterface revokeUserId(String userId,
|
||||||
|
OpenPgpV4Fingerprint subkeyFingerprint,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector)
|
||||||
|
throws PGPException {
|
||||||
|
return revokeUserId(userId, subkeyFingerprint, secretKeyRingProtector, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revoke the given userID on the key that belongs to the given fingerprint.
|
||||||
|
*
|
||||||
|
* @param userId userId to revoke
|
||||||
|
* @param subkeyFingerprint fingerprint of the key on which the userID should be revoked
|
||||||
|
* @param secretKeyRingProtector protector to unlock the primary key
|
||||||
|
* @param revocationAttributes reason for the revocation
|
||||||
|
* @return the builder
|
||||||
|
*/
|
||||||
|
SecretKeyRingEditorInterface revokeUserId(String userId,
|
||||||
|
OpenPgpV4Fingerprint subkeyFingerprint,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector,
|
||||||
|
RevocationAttributes revocationAttributes)
|
||||||
|
throws PGPException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revoke the given userID on the key that belongs to the given key ID.
|
||||||
|
*
|
||||||
|
* @param userId userId to revoke
|
||||||
|
* @param subKeyId ID of the subkey on which we the userID should be revoked
|
||||||
|
* @param secretKeyRingProtector protector to unlock the primary key
|
||||||
|
* @return the builder
|
||||||
|
*/
|
||||||
|
default SecretKeyRingEditorInterface revokeUserId(String userId,
|
||||||
|
long subKeyId,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector)
|
||||||
|
throws PGPException {
|
||||||
|
return revokeUserId(userId, subKeyId, secretKeyRingProtector, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revoke the given userID on the key that belongs to the given key ID.
|
||||||
|
*
|
||||||
|
* @param userId userId to revoke
|
||||||
|
* @param subkeyId ID of the subkey on which we the userID should be revoked
|
||||||
|
* @param secretKeyRingProtector protector to unlock the primary key
|
||||||
|
* @param revocationAttributes reason for the revocation
|
||||||
|
* @return the builder
|
||||||
|
*/
|
||||||
|
SecretKeyRingEditorInterface revokeUserId(String userId,
|
||||||
|
long subkeyId,
|
||||||
|
SecretKeyRingProtector secretKeyRingProtector,
|
||||||
|
RevocationAttributes revocationAttributes)
|
||||||
|
throws PGPException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the expiration date for the primary key of the key ring.
|
||||||
|
* If the key is supposed to never expire, then an expiration date of null is expected.
|
||||||
|
*
|
||||||
|
* @param expiration new expiration date or null
|
||||||
|
* @param secretKeyRingProtector
|
||||||
|
* @return
|
||||||
|
* @throws PGPException
|
||||||
|
*/
|
||||||
SecretKeyRingEditorInterface setExpirationDate(Date expiration,
|
SecretKeyRingEditorInterface setExpirationDate(Date expiration,
|
||||||
SecretKeyRingProtector secretKeyRingProtector)
|
SecretKeyRingProtector secretKeyRingProtector)
|
||||||
throws PGPException;
|
throws PGPException;
|
||||||
|
|
|
@ -116,16 +116,12 @@ public class SignatureUtils {
|
||||||
}
|
}
|
||||||
|
|
||||||
public static boolean isSelfSignatureValid(PGPSignature signature, PGPPublicKey publicKey) throws PGPException {
|
public static boolean isSelfSignatureValid(PGPSignature signature, PGPPublicKey publicKey) throws PGPException {
|
||||||
switch (signature.getSignatureType()) {
|
for (Iterator<String> it = publicKey.getUserIDs(); it.hasNext(); ) {
|
||||||
case PGPSignature.POSITIVE_CERTIFICATION:
|
String userId = it.next();
|
||||||
case PGPSignature.DEFAULT_CERTIFICATION:
|
boolean valid = isSelfSignatureOnUserIdValid(signature, userId, publicKey);
|
||||||
for (Iterator<String> it = publicKey.getUserIDs(); it.hasNext(); ) {
|
if (valid) {
|
||||||
String userId = it.next();
|
return true;
|
||||||
boolean valid = isSelfSignatureOnUserIdValid(signature, userId, publicKey);
|
}
|
||||||
if (valid) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,6 +27,7 @@ import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
|
||||||
import org.bouncycastle.openpgp.PGPUtil;
|
import org.bouncycastle.openpgp.PGPUtil;
|
||||||
import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator;
|
import org.bouncycastle.openpgp.operator.KeyFingerPrintCalculator;
|
||||||
import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
|
import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
|
||||||
|
import org.pgpainless.util.Passphrase;
|
||||||
|
|
||||||
public class TestKeys {
|
public class TestKeys {
|
||||||
|
|
||||||
|
@ -225,6 +226,7 @@ public class TestKeys {
|
||||||
|
|
||||||
public static final String CRYPTIE_UID = "cryptie@encrypted.key";
|
public static final String CRYPTIE_UID = "cryptie@encrypted.key";
|
||||||
public static final String CRYPTIE_PASSWORD = "password123";
|
public static final String CRYPTIE_PASSWORD = "password123";
|
||||||
|
public static final Passphrase CRYPTIE_PASSPHRASE = Passphrase.fromPassword(CRYPTIE_PASSWORD);
|
||||||
public static final long CRYPTIE_KEY_ID = -821156605394703576L;
|
public static final long CRYPTIE_KEY_ID = -821156605394703576L;
|
||||||
public static final String CRYPTIE_FINGERPRINT_STRING = "A395D3BA58CA3FA0DE8F2991F49AAA6B067BAB28";
|
public static final String CRYPTIE_FINGERPRINT_STRING = "A395D3BA58CA3FA0DE8F2991F49AAA6B067BAB28";
|
||||||
public static final OpenPgpV4Fingerprint CRYPTIE_FINGERPRINT = new OpenPgpV4Fingerprint(CRYPTIE_FINGERPRINT_STRING);
|
public static final OpenPgpV4Fingerprint CRYPTIE_FINGERPRINT = new OpenPgpV4Fingerprint(CRYPTIE_FINGERPRINT_STRING);
|
||||||
|
|
|
@ -17,6 +17,8 @@ package org.pgpainless.key.info;
|
||||||
|
|
||||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||||
import static org.junit.jupiter.api.Assertions.assertFalse;
|
import static org.junit.jupiter.api.Assertions.assertFalse;
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertNotNull;
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
@ -24,23 +26,25 @@ import java.security.InvalidAlgorithmParameterException;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
import java.util.NoSuchElementException;
|
||||||
|
|
||||||
|
import org.bouncycastle.bcpg.SignatureSubpacketTags;
|
||||||
|
import org.bouncycastle.bcpg.sig.RevocationReason;
|
||||||
import org.bouncycastle.openpgp.PGPException;
|
import org.bouncycastle.openpgp.PGPException;
|
||||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
|
||||||
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
|
||||||
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||||
import org.bouncycastle.openpgp.PGPSignature;
|
import org.bouncycastle.openpgp.PGPSignature;
|
||||||
import org.bouncycastle.openpgp.PGPSignatureGenerator;
|
|
||||||
import org.junit.jupiter.api.Test;
|
import org.junit.jupiter.api.Test;
|
||||||
import org.pgpainless.PGPainless;
|
import org.pgpainless.PGPainless;
|
||||||
import org.pgpainless.algorithm.KeyFlag;
|
import org.pgpainless.algorithm.KeyFlag;
|
||||||
import org.pgpainless.algorithm.SignatureType;
|
import org.pgpainless.key.TestKeys;
|
||||||
import org.pgpainless.key.generation.KeySpec;
|
import org.pgpainless.key.generation.KeySpec;
|
||||||
import org.pgpainless.key.generation.type.KeyType;
|
import org.pgpainless.key.generation.type.KeyType;
|
||||||
import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
|
import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
|
||||||
import org.pgpainless.key.generation.type.xdh.XDHCurve;
|
import org.pgpainless.key.generation.type.xdh.XDHCurve;
|
||||||
|
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
|
||||||
|
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||||
import org.pgpainless.key.protection.UnprotectedKeysProtector;
|
import org.pgpainless.key.protection.UnprotectedKeysProtector;
|
||||||
import org.pgpainless.key.util.KeyRingUtils;
|
import org.pgpainless.key.util.RevocationAttributes;
|
||||||
import org.pgpainless.key.util.SignatureUtils;
|
import org.pgpainless.key.util.SignatureUtils;
|
||||||
|
|
||||||
public class UserIdRevocationTest {
|
public class UserIdRevocationTest {
|
||||||
|
@ -59,23 +63,97 @@ public class UserIdRevocationTest {
|
||||||
.withoutPassphrase()
|
.withoutPassphrase()
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
PGPPublicKey publicKey = secretKeys.getPublicKey();
|
|
||||||
Thread.sleep(1000);
|
Thread.sleep(1000);
|
||||||
PGPSignatureGenerator generator = SignatureUtils.getSignatureGeneratorFor(secretKeys.getSecretKey());
|
|
||||||
generator.init(SignatureType.CERTIFICATION_REVOCATION.getCode(), secretKeys.getSecretKey().extractPrivateKey(
|
|
||||||
new UnprotectedKeysProtector().getDecryptor(secretKeys.getSecretKey().getKeyID())));
|
|
||||||
|
|
||||||
PGPSignature signature = generator.generateCertification("secondary@key.id", publicKey);
|
// make a copy with revoked subkey
|
||||||
publicKey = PGPPublicKey.addCertification(publicKey, "secondary@key.id", signature);
|
PGPSecretKeyRing revoked = PGPainless.modifyKeyRing(secretKeys)
|
||||||
PGPPublicKeyRing publicKeys = KeyRingUtils.publicKeyRingFrom(secretKeys);
|
.revokeUserIdOnAllSubkeys("secondary@key.id", new UnprotectedKeysProtector())
|
||||||
publicKeys = PGPPublicKeyRing.insertPublicKey(publicKeys, publicKey);
|
.done();
|
||||||
secretKeys = PGPSecretKeyRing.replacePublicKeys(secretKeys, publicKeys);
|
|
||||||
|
|
||||||
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
|
KeyRingInfo info = PGPainless.inspectKeyRing(revoked);
|
||||||
List<String> userIds = info.getUserIds();
|
List<String> userIds = info.getUserIds();
|
||||||
assertEquals(Arrays.asList("primary@key.id", "secondary@key.id"), userIds);
|
assertEquals(Arrays.asList("primary@key.id", "secondary@key.id"), userIds);
|
||||||
assertTrue(info.isUserIdValid("primary@key.id"));
|
assertTrue(info.isUserIdValid("primary@key.id"));
|
||||||
assertFalse(info.isUserIdValid("sedondary@key.id"));
|
assertFalse(info.isUserIdValid("sedondary@key.id"));
|
||||||
assertFalse(info.isUserIdValid("tertiary@key.id"));
|
assertFalse(info.isUserIdValid("tertiary@key.id"));
|
||||||
|
|
||||||
|
info = PGPainless.inspectKeyRing(secretKeys);
|
||||||
|
assertTrue(info.isUserIdValid("secondary@key.id")); // key on original secret key ring is still valid
|
||||||
|
|
||||||
|
revoked = PGPainless.modifyKeyRing(secretKeys)
|
||||||
|
.revokeUserId("secondary@key.id", secretKeys.getSecretKey().getKeyID(), new UnprotectedKeysProtector())
|
||||||
|
.done();
|
||||||
|
info = PGPainless.inspectKeyRing(revoked);
|
||||||
|
userIds = info.getUserIds();
|
||||||
|
assertEquals(Arrays.asList("primary@key.id", "secondary@key.id"), userIds);
|
||||||
|
assertTrue(info.isUserIdValid("primary@key.id"));
|
||||||
|
assertFalse(info.isUserIdValid("sedondary@key.id"));
|
||||||
|
assertFalse(info.isUserIdValid("tertiary@key.id"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testRevocationWithRevocationReason() throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, PGPException, InterruptedException {
|
||||||
|
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
|
||||||
|
.withSubKey(KeySpec.getBuilder(KeyType.XDH(XDHCurve._X25519))
|
||||||
|
.withKeyFlags(KeyFlag.ENCRYPT_COMMS)
|
||||||
|
.withDefaultAlgorithms())
|
||||||
|
.withMasterKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519))
|
||||||
|
.withKeyFlags(KeyFlag.SIGN_DATA, KeyFlag.CERTIFY_OTHER)
|
||||||
|
.withDefaultAlgorithms())
|
||||||
|
.withPrimaryUserId("primary@key.id")
|
||||||
|
.withAdditionalUserId("secondary@key.id")
|
||||||
|
.withoutPassphrase()
|
||||||
|
.build();
|
||||||
|
|
||||||
|
Thread.sleep(1000);
|
||||||
|
|
||||||
|
secretKeys = PGPainless.modifyKeyRing(secretKeys)
|
||||||
|
.revokeUserIdOnAllSubkeys("secondary@key.id", new UnprotectedKeysProtector(),
|
||||||
|
RevocationAttributes.createCertificateRevocation()
|
||||||
|
.withReason(RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID)
|
||||||
|
.withDescription("I lost my mail password"))
|
||||||
|
.done();
|
||||||
|
PGPSignature s = PGPainless.inspectKeyRing(secretKeys).getLatestValidSelfSignatureOnKey();
|
||||||
|
PGPSignature signature = SignatureUtils.getLatestSelfSignatureForUserId(secretKeys.getPublicKey(), "secondary@key.id");
|
||||||
|
RevocationReason reason = (RevocationReason) signature.getHashedSubPackets()
|
||||||
|
.getSubpacket(SignatureSubpacketTags.REVOCATION_REASON);
|
||||||
|
assertNotNull(reason);
|
||||||
|
assertEquals("I lost my mail password", reason.getRevocationDescription());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void unknownKeyThrowsIllegalArgumentException() throws IOException, PGPException {
|
||||||
|
PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing();
|
||||||
|
SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector
|
||||||
|
.forKey(secretKeys.getSecretKey(), TestKeys.CRYPTIE_PASSPHRASE);
|
||||||
|
|
||||||
|
assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys)
|
||||||
|
.revokeUserId("cryptie@encrypted.key", 1L, protector));
|
||||||
|
assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys)
|
||||||
|
.revokeUserId("cryptie@encrypted.key", TestKeys.EMIL_FINGERPRINT, protector));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void unknownUserIdThrowsNoSuchElementException() throws IOException, PGPException {
|
||||||
|
PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing();
|
||||||
|
SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector
|
||||||
|
.forKey(secretKeys.getSecretKey(), TestKeys.CRYPTIE_PASSPHRASE);
|
||||||
|
|
||||||
|
assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys)
|
||||||
|
.revokeUserId("invalid@user.id", TestKeys.CRYPTIE_FINGERPRINT, protector));
|
||||||
|
assertThrows(NoSuchElementException.class, () -> PGPainless.modifyKeyRing(secretKeys)
|
||||||
|
.revokeUserId("invalid@user.id", TestKeys.CRYPTIE_KEY_ID, protector));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void invalidRevocationReasonThrowsIllegalArgumentException() throws IOException, PGPException {
|
||||||
|
PGPSecretKeyRing secretKeys = TestKeys.getCryptieSecretKeyRing();
|
||||||
|
SecretKeyRingProtector protector = PasswordBasedSecretKeyRingProtector
|
||||||
|
.forKey(secretKeys.getSecretKey(), TestKeys.CRYPTIE_PASSPHRASE);
|
||||||
|
|
||||||
|
assertThrows(IllegalArgumentException.class, () -> PGPainless.modifyKeyRing(secretKeys)
|
||||||
|
.revokeUserId("cryptie@encrypted.key", secretKeys.getSecretKey().getKeyID(), protector,
|
||||||
|
RevocationAttributes.createKeyRevocation().withReason(RevocationAttributes.Reason.KEY_RETIRED)
|
||||||
|
.withDescription("This is not a valid certification revocation reason.")));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,7 +42,7 @@ public class OldSignatureSubpacketsArePreservedOnNewSig {
|
||||||
|
|
||||||
OpenPgpV4Fingerprint subkeyFingerprint = new OpenPgpV4Fingerprint(PGPainless.inspectKeyRing(secretKeys).getPublicKeys().get(1));
|
OpenPgpV4Fingerprint subkeyFingerprint = new OpenPgpV4Fingerprint(PGPainless.inspectKeyRing(secretKeys).getPublicKeys().get(1));
|
||||||
|
|
||||||
PGPSignature oldSignature = PGPainless.inspectKeyRing(secretKeys).getLatestValidSelfOrBindingSignature(subkeyFingerprint);
|
PGPSignature oldSignature = PGPainless.inspectKeyRing(secretKeys).getLatestValidSelfOrBindingSignatureOnKey(subkeyFingerprint);
|
||||||
PGPSignatureSubpacketVector oldPackets = oldSignature.getHashedSubPackets();
|
PGPSignatureSubpacketVector oldPackets = oldSignature.getHashedSubPackets();
|
||||||
|
|
||||||
assertEquals(0, oldPackets.getKeyExpirationTime());
|
assertEquals(0, oldPackets.getKeyExpirationTime());
|
||||||
|
@ -51,7 +51,7 @@ public class OldSignatureSubpacketsArePreservedOnNewSig {
|
||||||
secretKeys = PGPainless.modifyKeyRing(secretKeys)
|
secretKeys = PGPainless.modifyKeyRing(secretKeys)
|
||||||
.setExpirationDate(subkeyFingerprint, new Date(), new UnprotectedKeysProtector())
|
.setExpirationDate(subkeyFingerprint, new Date(), new UnprotectedKeysProtector())
|
||||||
.done();
|
.done();
|
||||||
PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys).getLatestValidSelfOrBindingSignature(subkeyFingerprint);
|
PGPSignature newSignature = PGPainless.inspectKeyRing(secretKeys).getLatestValidSelfOrBindingSignatureOnKey(subkeyFingerprint);
|
||||||
PGPSignatureSubpacketVector newPackets = newSignature.getHashedSubPackets();
|
PGPSignatureSubpacketVector newPackets = newSignature.getHashedSubPackets();
|
||||||
|
|
||||||
assertNotEquals(0, newPackets.getKeyExpirationTime());
|
assertNotEquals(0, newPackets.getKeyExpirationTime());
|
||||||
|
|
Loading…
Reference in a new issue