mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-25 04:17:59 +01:00
Reuse *SignatureCheck class
This commit is contained in:
parent
96a545632e
commit
f2bd51a2c6
4 changed files with 170 additions and 255 deletions
|
@ -60,7 +60,7 @@ import org.pgpainless.key.info.KeyRingInfo;
|
||||||
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||||
import org.pgpainless.key.protection.UnlockSecretKey;
|
import org.pgpainless.key.protection.UnlockSecretKey;
|
||||||
import org.pgpainless.signature.SignatureUtils;
|
import org.pgpainless.signature.SignatureUtils;
|
||||||
import org.pgpainless.signature.consumer.DetachedSignatureCheck;
|
import org.pgpainless.signature.consumer.SignatureCheck;
|
||||||
import org.pgpainless.signature.consumer.OnePassSignatureCheck;
|
import org.pgpainless.signature.consumer.OnePassSignatureCheck;
|
||||||
import org.pgpainless.util.ArmoredInputStreamFactory;
|
import org.pgpainless.util.ArmoredInputStreamFactory;
|
||||||
import org.pgpainless.util.Passphrase;
|
import org.pgpainless.util.Passphrase;
|
||||||
|
@ -79,7 +79,7 @@ public final class DecryptionStreamFactory {
|
||||||
private final ConsumerOptions options;
|
private final ConsumerOptions options;
|
||||||
private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
|
private final OpenPgpMetadata.Builder resultBuilder = OpenPgpMetadata.getBuilder();
|
||||||
private final List<OnePassSignatureCheck> onePassSignatureChecks = new ArrayList<>();
|
private final List<OnePassSignatureCheck> onePassSignatureChecks = new ArrayList<>();
|
||||||
private final List<DetachedSignatureCheck> detachedSignatureChecks = new ArrayList<>();
|
private final List<SignatureCheck> signatureChecks = new ArrayList<>();
|
||||||
private final Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert = new HashMap<>();
|
private final Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert = new HashMap<>();
|
||||||
|
|
||||||
private static final PGPContentVerifierBuilderProvider verifierBuilderProvider =
|
private static final PGPContentVerifierBuilderProvider verifierBuilderProvider =
|
||||||
|
@ -88,7 +88,7 @@ public final class DecryptionStreamFactory {
|
||||||
|
|
||||||
|
|
||||||
public static DecryptionStream create(@Nonnull InputStream inputStream,
|
public static DecryptionStream create(@Nonnull InputStream inputStream,
|
||||||
@Nonnull ConsumerOptions options)
|
@Nonnull ConsumerOptions options)
|
||||||
throws PGPException, IOException {
|
throws PGPException, IOException {
|
||||||
OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(inputStream);
|
OpenPgpInputStream openPgpInputStream = new OpenPgpInputStream(inputStream);
|
||||||
openPgpInputStream.reset();
|
openPgpInputStream.reset();
|
||||||
|
@ -134,9 +134,9 @@ public final class DecryptionStreamFactory {
|
||||||
SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID());
|
SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID());
|
||||||
try {
|
try {
|
||||||
signature.init(verifierBuilderProvider, signingKey);
|
signature.init(verifierBuilderProvider, signingKey);
|
||||||
DetachedSignatureCheck detachedSignature =
|
SignatureCheck detachedSignature =
|
||||||
new DetachedSignatureCheck(signature, signingKeyRing, signingKeyIdentifier);
|
new SignatureCheck(signature, signingKeyRing, signingKeyIdentifier);
|
||||||
detachedSignatureChecks.add(detachedSignature);
|
signatureChecks.add(detachedSignature);
|
||||||
} catch (PGPException e) {
|
} catch (PGPException e) {
|
||||||
SignatureValidationException ex = new SignatureValidationException(
|
SignatureValidationException ex = new SignatureValidationException(
|
||||||
"Cannot verify detached signature made by " + signingKeyIdentifier + ".", e);
|
"Cannot verify detached signature made by " + signingKeyIdentifier + ".", e);
|
||||||
|
@ -212,7 +212,7 @@ public final class DecryptionStreamFactory {
|
||||||
private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, @Nullable PGPObjectFactory objectFactory) {
|
private InputStream wrapInVerifySignatureStream(InputStream bufferedIn, @Nullable PGPObjectFactory objectFactory) {
|
||||||
return new SignatureInputStream.VerifySignatures(
|
return new SignatureInputStream.VerifySignatures(
|
||||||
bufferedIn, objectFactory, onePassSignatureChecks,
|
bufferedIn, objectFactory, onePassSignatureChecks,
|
||||||
onePassSignaturesWithMissingCert, detachedSignatureChecks, options,
|
onePassSignaturesWithMissingCert, signatureChecks, options,
|
||||||
resultBuilder);
|
resultBuilder);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -348,7 +348,7 @@ public final class DecryptionStreamFactory {
|
||||||
}
|
}
|
||||||
|
|
||||||
return new SignatureInputStream.VerifySignatures(literalDataInputStream, objectFactory,
|
return new SignatureInputStream.VerifySignatures(literalDataInputStream, objectFactory,
|
||||||
onePassSignatureChecks, onePassSignaturesWithMissingCert, detachedSignatureChecks, options, resultBuilder) {
|
onePassSignatureChecks, onePassSignaturesWithMissingCert, signatureChecks, options, resultBuilder) {
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
package org.pgpainless.decryption_verification;
|
package org.pgpainless.decryption_verification;
|
||||||
|
|
||||||
import java.io.BufferedInputStream;
|
import java.io.BufferedInputStream;
|
||||||
import java.io.ByteArrayOutputStream;
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.io.OutputStream;
|
import java.io.OutputStream;
|
||||||
|
@ -31,6 +30,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
||||||
import org.bouncycastle.openpgp.PGPSecretKey;
|
import org.bouncycastle.openpgp.PGPSecretKey;
|
||||||
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||||
import org.bouncycastle.openpgp.PGPSignature;
|
import org.bouncycastle.openpgp.PGPSignature;
|
||||||
|
import org.bouncycastle.openpgp.PGPSignatureList;
|
||||||
import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
|
import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory;
|
||||||
import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
|
import org.bouncycastle.openpgp.operator.PGPContentVerifierBuilderProvider;
|
||||||
import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
|
import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
|
||||||
|
@ -44,6 +44,8 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
|
||||||
import org.pgpainless.decryption_verification.automaton.InputAlphabet;
|
import org.pgpainless.decryption_verification.automaton.InputAlphabet;
|
||||||
import org.pgpainless.decryption_verification.automaton.PDA;
|
import org.pgpainless.decryption_verification.automaton.PDA;
|
||||||
import org.pgpainless.decryption_verification.automaton.StackAlphabet;
|
import org.pgpainless.decryption_verification.automaton.StackAlphabet;
|
||||||
|
import org.pgpainless.decryption_verification.cleartext_signatures.ClearsignedMessageUtil;
|
||||||
|
import org.pgpainless.decryption_verification.cleartext_signatures.MultiPassStrategy;
|
||||||
import org.pgpainless.exception.MalformedOpenPgpMessageException;
|
import org.pgpainless.exception.MalformedOpenPgpMessageException;
|
||||||
import org.pgpainless.exception.MessageNotIntegrityProtectedException;
|
import org.pgpainless.exception.MessageNotIntegrityProtectedException;
|
||||||
import org.pgpainless.exception.MissingDecryptionMethodException;
|
import org.pgpainless.exception.MissingDecryptionMethodException;
|
||||||
|
@ -56,7 +58,9 @@ import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||||
import org.pgpainless.key.protection.UnlockSecretKey;
|
import org.pgpainless.key.protection.UnlockSecretKey;
|
||||||
import org.pgpainless.policy.Policy;
|
import org.pgpainless.policy.Policy;
|
||||||
import org.pgpainless.signature.SignatureUtils;
|
import org.pgpainless.signature.SignatureUtils;
|
||||||
import org.pgpainless.signature.consumer.SignatureValidator;
|
import org.pgpainless.signature.consumer.OnePassSignatureCheck;
|
||||||
|
import org.pgpainless.signature.consumer.SignatureCheck;
|
||||||
|
import org.pgpainless.signature.consumer.SignatureVerifier;
|
||||||
import org.pgpainless.util.ArmoredInputStreamFactory;
|
import org.pgpainless.util.ArmoredInputStreamFactory;
|
||||||
import org.pgpainless.util.Passphrase;
|
import org.pgpainless.util.Passphrase;
|
||||||
import org.pgpainless.util.SessionKey;
|
import org.pgpainless.util.SessionKey;
|
||||||
|
@ -93,7 +97,9 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
@Nonnull ConsumerOptions options,
|
@Nonnull ConsumerOptions options,
|
||||||
@Nonnull Policy policy)
|
@Nonnull Policy policy)
|
||||||
throws PGPException, IOException {
|
throws PGPException, IOException {
|
||||||
this(prepareInputStream(inputStream, options), options, new MessageMetadata.Message(), policy);
|
this(
|
||||||
|
prepareInputStream(inputStream, options, policy),
|
||||||
|
options, new MessageMetadata.Message(), policy);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
|
protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
|
||||||
|
@ -120,7 +126,20 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
consumePackets();
|
consumePackets();
|
||||||
}
|
}
|
||||||
|
|
||||||
private static InputStream prepareInputStream(InputStream inputStream, ConsumerOptions options) throws IOException {
|
protected OpenPgpMessageInputStream(@Nonnull InputStream inputStream,
|
||||||
|
@Nonnull Policy policy,
|
||||||
|
@Nonnull ConsumerOptions options) {
|
||||||
|
super(OpenPgpMetadata.getBuilder());
|
||||||
|
this.policy = policy;
|
||||||
|
this.options = options;
|
||||||
|
this.metadata = new MessageMetadata.Message();
|
||||||
|
this.signatures = new Signatures(options);
|
||||||
|
this.signatures.addDetachedSignatures(options.getDetachedSignatures());
|
||||||
|
this.packetInputStream = new TeeBCPGInputStream(BCPGInputStream.wrap(inputStream), signatures);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static InputStream prepareInputStream(InputStream inputStream, ConsumerOptions options, Policy policy)
|
||||||
|
throws IOException, PGPException {
|
||||||
OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
|
OpenPgpInputStream openPgpIn = new OpenPgpInputStream(inputStream);
|
||||||
openPgpIn.reset();
|
openPgpIn.reset();
|
||||||
|
|
||||||
|
@ -131,7 +150,7 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
if (openPgpIn.isAsciiArmored()) {
|
if (openPgpIn.isAsciiArmored()) {
|
||||||
ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
|
ArmoredInputStream armorIn = ArmoredInputStreamFactory.get(openPgpIn);
|
||||||
if (armorIn.isClearText()) {
|
if (armorIn.isClearText()) {
|
||||||
return armorIn;
|
return parseCleartextSignedMessage(armorIn, options, policy);
|
||||||
} else {
|
} else {
|
||||||
return armorIn;
|
return armorIn;
|
||||||
}
|
}
|
||||||
|
@ -140,6 +159,19 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static DecryptionStream parseCleartextSignedMessage(ArmoredInputStream armorIn, ConsumerOptions options, Policy policy)
|
||||||
|
throws IOException, PGPException {
|
||||||
|
MultiPassStrategy multiPassStrategy = options.getMultiPassStrategy();
|
||||||
|
PGPSignatureList signatures = ClearsignedMessageUtil.detachSignaturesFromInbandClearsignedMessage(armorIn, multiPassStrategy.getMessageOutputStream());
|
||||||
|
|
||||||
|
for (PGPSignature signature : signatures) {
|
||||||
|
options.addVerificationOfDetachedSignature(signature);
|
||||||
|
}
|
||||||
|
|
||||||
|
options.forceNonOpenPgpData();
|
||||||
|
return new OpenPgpMessageInputStream(multiPassStrategy.getMessageInputStream(), policy, options);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Consume OpenPGP packets from the current {@link BCPGInputStream}.
|
* Consume OpenPGP packets from the current {@link BCPGInputStream}.
|
||||||
* Once an OpenPGP packet with nested data (Literal Data, Compressed Data, Encrypted Data) is reached,
|
* Once an OpenPGP packet with nested data (Literal Data, Compressed Data, Encrypted Data) is reached,
|
||||||
|
@ -575,17 +607,58 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public OpenPgpMetadata getResult() {
|
||||||
|
MessageMetadata m = getMetadata();
|
||||||
|
resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
|
||||||
|
resultBuilder.setModificationDate(m.getModificationDate());
|
||||||
|
resultBuilder.setFileName(m.getFilename());
|
||||||
|
resultBuilder.setFileEncoding(m.getFormat());
|
||||||
|
resultBuilder.setSessionKey(m.getSessionKey());
|
||||||
|
resultBuilder.setDecryptionKey(m.getDecryptionKey());
|
||||||
|
|
||||||
|
for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
|
||||||
|
resultBuilder.addVerifiedDetachedSignature(accepted);
|
||||||
|
}
|
||||||
|
for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
|
||||||
|
resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
|
||||||
|
}
|
||||||
|
|
||||||
|
for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
|
||||||
|
resultBuilder.addVerifiedInbandSignature(accepted);
|
||||||
|
}
|
||||||
|
for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
|
||||||
|
resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
|
||||||
|
}
|
||||||
|
|
||||||
|
return resultBuilder.build();
|
||||||
|
}
|
||||||
|
|
||||||
|
static void log(String message) {
|
||||||
|
LOGGER.debug(message);
|
||||||
|
// CHECKSTYLE:OFF
|
||||||
|
System.out.println(message);
|
||||||
|
// CHECKSTYLE:ON
|
||||||
|
}
|
||||||
|
|
||||||
|
static void log(String message, Throwable e) {
|
||||||
|
log(message);
|
||||||
|
// CHECKSTYLE:OFF
|
||||||
|
e.printStackTrace();
|
||||||
|
// CHECKSTYLE:ON
|
||||||
|
}
|
||||||
|
|
||||||
// In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
|
// In 'OPS LIT("Foo") SIG', OPS is only updated with "Foo"
|
||||||
// In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
|
// In 'OPS[1] OPS LIT("Foo") SIG SIG', OPS[1] (nested) is updated with OPS LIT("Foo") SIG.
|
||||||
// Therefore, we need to handle the innermost signature layer differently when updating with Literal data.
|
// Therefore, we need to handle the innermost signature layer differently when updating with Literal data.
|
||||||
// Furthermore, For 'OPS COMP(LIT("Foo")) SIG', the signature is updated with "Foo". CHAOS!!!
|
// Furthermore, For 'OPS COMP(LIT("Foo")) SIG', the signature is updated with "Foo". CHAOS!!!
|
||||||
private static final class Signatures extends OutputStream {
|
private static final class Signatures extends OutputStream {
|
||||||
final ConsumerOptions options;
|
final ConsumerOptions options;
|
||||||
final List<DetachedOrPrependedSignature> detachedSignatures;
|
final List<SignatureCheck> detachedSignatures;
|
||||||
final List<DetachedOrPrependedSignature> prependedSignatures;
|
final List<SignatureCheck> prependedSignatures;
|
||||||
final List<OnePassSignature> onePassSignatures;
|
final List<OnePassSignatureCheck> onePassSignatures;
|
||||||
final Stack<List<OnePassSignature>> opsUpdateStack;
|
final Stack<List<OnePassSignatureCheck>> opsUpdateStack;
|
||||||
List<OnePassSignature> literalOPS = new ArrayList<>();
|
List<OnePassSignatureCheck> literalOPS = new ArrayList<>();
|
||||||
final List<PGPSignature> correspondingSignatures;
|
final List<PGPSignature> correspondingSignatures;
|
||||||
boolean isLiteral = true;
|
boolean isLiteral = true;
|
||||||
|
|
||||||
|
@ -605,31 +678,37 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
}
|
}
|
||||||
|
|
||||||
void addDetachedSignature(PGPSignature signature) {
|
void addDetachedSignature(PGPSignature signature) {
|
||||||
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
SignatureCheck check = initializeSignature(signature);
|
||||||
PGPPublicKeyRing certificate = findCertificate(keyId);
|
if (check != null) {
|
||||||
|
detachedSignatures.add(check);
|
||||||
if (certificate != null) {
|
|
||||||
initialize(signature, certificate, keyId);
|
|
||||||
this.detachedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void addPrependedSignature(PGPSignature signature) {
|
void addPrependedSignature(PGPSignature signature) {
|
||||||
|
SignatureCheck check = initializeSignature(signature);
|
||||||
|
if (check != null) {
|
||||||
|
this.prependedSignatures.add(check);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
SignatureCheck initializeSignature(PGPSignature signature) {
|
||||||
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
||||||
PGPPublicKeyRing certificate = findCertificate(keyId);
|
PGPPublicKeyRing certificate = findCertificate(keyId);
|
||||||
|
if (certificate == null) {
|
||||||
if (certificate != null) {
|
return null;
|
||||||
initialize(signature, certificate, keyId);
|
|
||||||
this.prependedSignatures.add(new DetachedOrPrependedSignature(signature, certificate, keyId));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
SubkeyIdentifier verifierKey = new SubkeyIdentifier(certificate, keyId);
|
||||||
|
initialize(signature, certificate, keyId);
|
||||||
|
return new SignatureCheck(signature, certificate, verifierKey);
|
||||||
}
|
}
|
||||||
|
|
||||||
void addOnePassSignature(PGPOnePassSignature signature) {
|
void addOnePassSignature(PGPOnePassSignature signature) {
|
||||||
PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
|
PGPPublicKeyRing certificate = findCertificate(signature.getKeyID());
|
||||||
|
|
||||||
if (certificate != null) {
|
if (certificate != null) {
|
||||||
OnePassSignature ops = new OnePassSignature(signature, certificate, signature.getKeyID());
|
OnePassSignatureCheck ops = new OnePassSignatureCheck(signature, certificate);
|
||||||
ops.init(certificate);
|
initialize(signature, certificate);
|
||||||
onePassSignatures.add(ops);
|
onePassSignatures.add(ops);
|
||||||
|
|
||||||
literalOPS.add(ops);
|
literalOPS.add(ops);
|
||||||
|
@ -641,40 +720,29 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
|
|
||||||
void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer, Policy policy) {
|
void addCorrespondingOnePassSignature(PGPSignature signature, MessageMetadata.Layer layer, Policy policy) {
|
||||||
for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
|
for (int i = onePassSignatures.size() - 1; i >= 0; i--) {
|
||||||
OnePassSignature onePassSignature = onePassSignatures.get(i);
|
OnePassSignatureCheck onePassSignature = onePassSignatures.get(i);
|
||||||
if (onePassSignature.opSignature.getKeyID() != signature.getKeyID()) {
|
if (onePassSignature.getOnePassSignature().getKeyID() != signature.getKeyID()) {
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if (onePassSignature.finished) {
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean correct = onePassSignature.verify(signature);
|
if (onePassSignature.getSignature() != null) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
onePassSignature.setSignature(signature);
|
||||||
SignatureVerification verification = new SignatureVerification(signature,
|
SignatureVerification verification = new SignatureVerification(signature,
|
||||||
new SubkeyIdentifier(onePassSignature.certificate, onePassSignature.keyId));
|
new SubkeyIdentifier(onePassSignature.getVerificationKeys(), onePassSignature.getOnePassSignature().getKeyID()));
|
||||||
if (correct) {
|
|
||||||
PGPPublicKey signingKey = onePassSignature.certificate.getPublicKey(onePassSignature.keyId);
|
try {
|
||||||
try {
|
SignatureVerifier.verifyOnePassSignature(signature, onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID()), onePassSignature, policy);
|
||||||
checkSignatureValidity(signature, signingKey, policy);
|
layer.addVerifiedOnePassSignature(verification);
|
||||||
layer.addVerifiedOnePassSignature(verification);
|
} catch (SignatureValidationException e) {
|
||||||
} catch (SignatureValidationException e) {
|
layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification, e));
|
||||||
layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification, e));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
layer.addRejectedOnePassSignature(new SignatureVerification.Failure(verification,
|
|
||||||
new SignatureValidationException("Bad Signature.")));
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean checkSignatureValidity(PGPSignature signature, PGPPublicKey signingKey, Policy policy) throws SignatureValidationException {
|
|
||||||
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
|
||||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
|
||||||
SignatureValidator.signatureIsEffective().verify(signature);
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
void enterNesting() {
|
void enterNesting() {
|
||||||
opsUpdateStack.push(literalOPS);
|
opsUpdateStack.push(literalOPS);
|
||||||
literalOPS = new ArrayList<>();
|
literalOPS = new ArrayList<>();
|
||||||
|
@ -718,85 +786,75 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void updateLiteral(byte b) {
|
public void updateLiteral(byte b) {
|
||||||
for (OnePassSignature ops : literalOPS) {
|
for (OnePassSignatureCheck ops : literalOPS) {
|
||||||
ops.update(b);
|
ops.getOnePassSignature().update(b);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (DetachedOrPrependedSignature detached : detachedSignatures) {
|
for (SignatureCheck detached : detachedSignatures) {
|
||||||
detached.update(b);
|
detached.getSignature().update(b);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (DetachedOrPrependedSignature prepended : prependedSignatures) {
|
for (SignatureCheck prepended : prependedSignatures) {
|
||||||
prepended.update(b);
|
prepended.getSignature().update(b);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void updateLiteral(byte[] b, int off, int len) {
|
public void updateLiteral(byte[] b, int off, int len) {
|
||||||
for (OnePassSignature ops : literalOPS) {
|
for (OnePassSignatureCheck ops : literalOPS) {
|
||||||
ops.update(b, off, len);
|
ops.getOnePassSignature().update(b, off, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (DetachedOrPrependedSignature detached : detachedSignatures) {
|
for (SignatureCheck detached : detachedSignatures) {
|
||||||
detached.update(b, off, len);
|
detached.getSignature().update(b, off, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (DetachedOrPrependedSignature prepended : prependedSignatures) {
|
for (SignatureCheck prepended : prependedSignatures) {
|
||||||
prepended.update(b, off, len);
|
prepended.getSignature().update(b, off, len);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void updatePacket(byte b) {
|
public void updatePacket(byte b) {
|
||||||
for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
|
for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
|
||||||
List<OnePassSignature> nestedOPSs = opsUpdateStack.get(i);
|
List<OnePassSignatureCheck> nestedOPSs = opsUpdateStack.get(i);
|
||||||
for (OnePassSignature ops : nestedOPSs) {
|
for (OnePassSignatureCheck ops : nestedOPSs) {
|
||||||
ops.update(b);
|
ops.getOnePassSignature().update(b);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void updatePacket(byte[] buf, int off, int len) {
|
public void updatePacket(byte[] buf, int off, int len) {
|
||||||
for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
|
for (int i = opsUpdateStack.size() - 1; i >= 0; i--) {
|
||||||
List<OnePassSignature> nestedOPSs = opsUpdateStack.get(i);
|
List<OnePassSignatureCheck> nestedOPSs = opsUpdateStack.get(i);
|
||||||
for (OnePassSignature ops : nestedOPSs) {
|
for (OnePassSignatureCheck ops : nestedOPSs) {
|
||||||
ops.update(buf, off, len);
|
ops.getOnePassSignature().update(buf, off, len);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void finish(MessageMetadata.Layer layer, Policy policy) {
|
public void finish(MessageMetadata.Layer layer, Policy policy) {
|
||||||
for (DetachedOrPrependedSignature detached : detachedSignatures) {
|
for (SignatureCheck detached : detachedSignatures) {
|
||||||
boolean correct = detached.verify();
|
SignatureVerification verification = new SignatureVerification(detached.getSignature(), detached.getSigningKeyIdentifier());
|
||||||
SignatureVerification verification = new SignatureVerification(
|
try {
|
||||||
detached.signature, new SubkeyIdentifier(detached.certificate, detached.keyId));
|
SignatureVerifier.verifyInitializedSignature(
|
||||||
if (correct) {
|
detached.getSignature(),
|
||||||
try {
|
detached.getSigningKeyRing().getPublicKey(detached.getSigningKeyIdentifier().getKeyId()),
|
||||||
PGPPublicKey signingKey = detached.certificate.getPublicKey(detached.keyId);
|
policy, detached.getSignature().getCreationTime());
|
||||||
checkSignatureValidity(detached.signature, signingKey, policy);
|
layer.addVerifiedDetachedSignature(verification);
|
||||||
layer.addVerifiedDetachedSignature(verification);
|
} catch (SignatureValidationException e) {
|
||||||
} catch (SignatureValidationException e) {
|
layer.addRejectedDetachedSignature(new SignatureVerification.Failure(verification, e));
|
||||||
layer.addRejectedDetachedSignature(new SignatureVerification.Failure(verification, e));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
layer.addRejectedDetachedSignature(new SignatureVerification.Failure(
|
|
||||||
verification, new SignatureValidationException("Incorrect Signature.")));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (DetachedOrPrependedSignature prepended : prependedSignatures) {
|
for (SignatureCheck prepended : prependedSignatures) {
|
||||||
boolean correct = prepended.verify();
|
SignatureVerification verification = new SignatureVerification(prepended.getSignature(), prepended.getSigningKeyIdentifier());
|
||||||
SignatureVerification verification = new SignatureVerification(
|
try {
|
||||||
prepended.signature, new SubkeyIdentifier(prepended.certificate, prepended.keyId));
|
SignatureVerifier.verifyInitializedSignature(
|
||||||
if (correct) {
|
prepended.getSignature(),
|
||||||
try {
|
prepended.getSigningKeyRing().getPublicKey(prepended.getSigningKeyIdentifier().getKeyId()),
|
||||||
PGPPublicKey signingKey = prepended.certificate.getPublicKey(prepended.keyId);
|
policy, prepended.getSignature().getCreationTime());
|
||||||
checkSignatureValidity(prepended.signature, signingKey, policy);
|
layer.addVerifiedPrependedSignature(verification);
|
||||||
layer.addVerifiedPrependedSignature(verification);
|
} catch (SignatureValidationException e) {
|
||||||
} catch (SignatureValidationException e) {
|
layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e));
|
||||||
layer.addRejectedPrependedSignature(new SignatureVerification.Failure(verification, e));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
layer.addRejectedPrependedSignature(new SignatureVerification.Failure(
|
|
||||||
verification, new SignatureValidationException("Incorrect Signature.")));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -822,148 +880,5 @@ public class OpenPgpMessageInputStream extends DecryptionStream {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static class DetachedOrPrependedSignature {
|
|
||||||
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
|
|
||||||
PGPSignature signature;
|
|
||||||
PGPPublicKeyRing certificate;
|
|
||||||
long keyId;
|
|
||||||
boolean finished;
|
|
||||||
boolean valid;
|
|
||||||
|
|
||||||
DetachedOrPrependedSignature(PGPSignature signature, PGPPublicKeyRing certificate, long keyId) {
|
|
||||||
this.signature = signature;
|
|
||||||
this.certificate = certificate;
|
|
||||||
this.keyId = keyId;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void init(PGPPublicKeyRing certificate) {
|
|
||||||
initialize(signature, certificate, signature.getKeyID());
|
|
||||||
}
|
|
||||||
|
|
||||||
public boolean verify() {
|
|
||||||
if (finished) {
|
|
||||||
throw new IllegalStateException("Already finished.");
|
|
||||||
}
|
|
||||||
finished = true;
|
|
||||||
try {
|
|
||||||
valid = this.signature.verify();
|
|
||||||
} catch (PGPException e) {
|
|
||||||
log("Cannot verify SIG " + signature.getKeyID());
|
|
||||||
}
|
|
||||||
return valid;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void update(byte b) {
|
|
||||||
if (finished) {
|
|
||||||
throw new IllegalStateException("Already finished.");
|
|
||||||
}
|
|
||||||
signature.update(b);
|
|
||||||
bytes.write(b);
|
|
||||||
}
|
|
||||||
|
|
||||||
public void update(byte[] bytes, int off, int len) {
|
|
||||||
if (finished) {
|
|
||||||
throw new IllegalStateException("Already finished.");
|
|
||||||
}
|
|
||||||
signature.update(bytes, off, len);
|
|
||||||
this.bytes.write(bytes, off, len);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
static class OnePassSignature {
|
|
||||||
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
|
|
||||||
PGPOnePassSignature opSignature;
|
|
||||||
PGPSignature signature;
|
|
||||||
PGPPublicKeyRing certificate;
|
|
||||||
long keyId;
|
|
||||||
boolean finished;
|
|
||||||
boolean valid;
|
|
||||||
|
|
||||||
OnePassSignature(PGPOnePassSignature signature, PGPPublicKeyRing certificate, long keyId) {
|
|
||||||
this.opSignature = signature;
|
|
||||||
this.certificate = certificate;
|
|
||||||
this.keyId = keyId;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void init(PGPPublicKeyRing certificate) {
|
|
||||||
initialize(opSignature, certificate);
|
|
||||||
}
|
|
||||||
|
|
||||||
public boolean verify(PGPSignature signature) {
|
|
||||||
if (finished) {
|
|
||||||
throw new IllegalStateException("Already finished.");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (this.opSignature.getKeyID() != signature.getKeyID()) {
|
|
||||||
// nope
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
this.signature = signature;
|
|
||||||
finished = true;
|
|
||||||
try {
|
|
||||||
valid = this.opSignature.verify(signature);
|
|
||||||
} catch (PGPException e) {
|
|
||||||
log("Cannot verify OPS " + signature.getKeyID());
|
|
||||||
}
|
|
||||||
return valid;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void update(byte b) {
|
|
||||||
if (finished) {
|
|
||||||
throw new IllegalStateException("Already finished.");
|
|
||||||
}
|
|
||||||
opSignature.update(b);
|
|
||||||
bytes.write(b);
|
|
||||||
}
|
|
||||||
|
|
||||||
public void update(byte[] bytes, int off, int len) {
|
|
||||||
if (finished) {
|
|
||||||
throw new IllegalStateException("Already finished.");
|
|
||||||
}
|
|
||||||
opSignature.update(bytes, off, len);
|
|
||||||
this.bytes.write(bytes, off, len);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public OpenPgpMetadata getResult() {
|
|
||||||
MessageMetadata m = getMetadata();
|
|
||||||
resultBuilder.setCompressionAlgorithm(m.getCompressionAlgorithm());
|
|
||||||
resultBuilder.setModificationDate(m.getModificationDate());
|
|
||||||
resultBuilder.setFileName(m.getFilename());
|
|
||||||
resultBuilder.setFileEncoding(m.getFormat());
|
|
||||||
resultBuilder.setSessionKey(m.getSessionKey());
|
|
||||||
resultBuilder.setDecryptionKey(m.getDecryptionKey());
|
|
||||||
|
|
||||||
for (SignatureVerification accepted : m.getVerifiedDetachedSignatures()) {
|
|
||||||
resultBuilder.addVerifiedDetachedSignature(accepted);
|
|
||||||
}
|
|
||||||
for (SignatureVerification.Failure rejected : m.getRejectedDetachedSignatures()) {
|
|
||||||
resultBuilder.addInvalidDetachedSignature(rejected.getSignatureVerification(), rejected.getValidationException());
|
|
||||||
}
|
|
||||||
|
|
||||||
for (SignatureVerification accepted : m.getVerifiedInlineSignatures()) {
|
|
||||||
resultBuilder.addVerifiedInbandSignature(accepted);
|
|
||||||
}
|
|
||||||
for (SignatureVerification.Failure rejected : m.getRejectedInlineSignatures()) {
|
|
||||||
resultBuilder.addInvalidInbandSignature(rejected.getSignatureVerification(), rejected.getValidationException());
|
|
||||||
}
|
|
||||||
|
|
||||||
return resultBuilder.build();
|
|
||||||
}
|
|
||||||
|
|
||||||
static void log(String message) {
|
|
||||||
LOGGER.debug(message);
|
|
||||||
// CHECKSTYLE:OFF
|
|
||||||
System.out.println(message);
|
|
||||||
// CHECKSTYLE:ON
|
|
||||||
}
|
|
||||||
|
|
||||||
static void log(String message, Throwable e) {
|
|
||||||
log(message);
|
|
||||||
// CHECKSTYLE:OFF
|
|
||||||
e.printStackTrace();
|
|
||||||
// CHECKSTYLE:ON
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,7 +22,7 @@ import org.pgpainless.PGPainless;
|
||||||
import org.pgpainless.exception.SignatureValidationException;
|
import org.pgpainless.exception.SignatureValidationException;
|
||||||
import org.pgpainless.policy.Policy;
|
import org.pgpainless.policy.Policy;
|
||||||
import org.pgpainless.signature.consumer.CertificateValidator;
|
import org.pgpainless.signature.consumer.CertificateValidator;
|
||||||
import org.pgpainless.signature.consumer.DetachedSignatureCheck;
|
import org.pgpainless.signature.consumer.SignatureCheck;
|
||||||
import org.pgpainless.signature.consumer.OnePassSignatureCheck;
|
import org.pgpainless.signature.consumer.OnePassSignatureCheck;
|
||||||
import org.pgpainless.signature.SignatureUtils;
|
import org.pgpainless.signature.SignatureUtils;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
|
@ -41,7 +41,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
|
||||||
private final PGPObjectFactory objectFactory;
|
private final PGPObjectFactory objectFactory;
|
||||||
private final List<OnePassSignatureCheck> opSignatures;
|
private final List<OnePassSignatureCheck> opSignatures;
|
||||||
private final Map<Long, OnePassSignatureCheck> opSignaturesWithMissingCert;
|
private final Map<Long, OnePassSignatureCheck> opSignaturesWithMissingCert;
|
||||||
private final List<DetachedSignatureCheck> detachedSignatures;
|
private final List<SignatureCheck> detachedSignatures;
|
||||||
private final ConsumerOptions options;
|
private final ConsumerOptions options;
|
||||||
private final OpenPgpMetadata.Builder resultBuilder;
|
private final OpenPgpMetadata.Builder resultBuilder;
|
||||||
|
|
||||||
|
@ -50,7 +50,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
|
||||||
@Nullable PGPObjectFactory objectFactory,
|
@Nullable PGPObjectFactory objectFactory,
|
||||||
List<OnePassSignatureCheck> opSignatures,
|
List<OnePassSignatureCheck> opSignatures,
|
||||||
Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert,
|
Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert,
|
||||||
List<DetachedSignatureCheck> detachedSignatures,
|
List<SignatureCheck> detachedSignatures,
|
||||||
ConsumerOptions options,
|
ConsumerOptions options,
|
||||||
OpenPgpMetadata.Builder resultBuilder) {
|
OpenPgpMetadata.Builder resultBuilder) {
|
||||||
super(literalDataStream);
|
super(literalDataStream);
|
||||||
|
@ -170,7 +170,7 @@ public abstract class SignatureInputStream extends FilterInputStream {
|
||||||
|
|
||||||
private void verifyDetachedSignatures() {
|
private void verifyDetachedSignatures() {
|
||||||
Policy policy = PGPainless.getPolicy();
|
Policy policy = PGPainless.getPolicy();
|
||||||
for (DetachedSignatureCheck s : detachedSignatures) {
|
for (SignatureCheck s : detachedSignatures) {
|
||||||
try {
|
try {
|
||||||
signatureWasCreatedInBounds(options.getVerifyNotBefore(),
|
signatureWasCreatedInBounds(options.getVerifyNotBefore(),
|
||||||
options.getVerifyNotAfter()).verify(s.getSignature());
|
options.getVerifyNotAfter()).verify(s.getSignature());
|
||||||
|
@ -200,13 +200,13 @@ public abstract class SignatureInputStream extends FilterInputStream {
|
||||||
}
|
}
|
||||||
|
|
||||||
private void updateDetachedSignatures(byte b) {
|
private void updateDetachedSignatures(byte b) {
|
||||||
for (DetachedSignatureCheck detachedSignature : detachedSignatures) {
|
for (SignatureCheck detachedSignature : detachedSignatures) {
|
||||||
detachedSignature.getSignature().update(b);
|
detachedSignature.getSignature().update(b);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void updateDetachedSignatures(byte[] b, int off, int read) {
|
private void updateDetachedSignatures(byte[] b, int off, int read) {
|
||||||
for (DetachedSignatureCheck detachedSignature : detachedSignatures) {
|
for (SignatureCheck detachedSignature : detachedSignatures) {
|
||||||
detachedSignature.getSignature().update(b, off, read);
|
detachedSignature.getSignature().update(b, off, read);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,19 +13,19 @@ import org.pgpainless.key.SubkeyIdentifier;
|
||||||
* Tuple-class which bundles together a signature, the signing key that created the signature,
|
* Tuple-class which bundles together a signature, the signing key that created the signature,
|
||||||
* an identifier of the signing key and a record of whether the signature was verified.
|
* an identifier of the signing key and a record of whether the signature was verified.
|
||||||
*/
|
*/
|
||||||
public class DetachedSignatureCheck {
|
public class SignatureCheck {
|
||||||
private final PGPSignature signature;
|
private final PGPSignature signature;
|
||||||
private final PGPKeyRing signingKeyRing;
|
private final PGPKeyRing signingKeyRing;
|
||||||
private final SubkeyIdentifier signingKeyIdentifier;
|
private final SubkeyIdentifier signingKeyIdentifier;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create a new {@link DetachedSignatureCheck} object.
|
* Create a new {@link SignatureCheck} object.
|
||||||
*
|
*
|
||||||
* @param signature signature
|
* @param signature signature
|
||||||
* @param signingKeyRing signing key that created the signature
|
* @param signingKeyRing signing key that created the signature
|
||||||
* @param signingKeyIdentifier identifier of the used signing key
|
* @param signingKeyIdentifier identifier of the used signing key
|
||||||
*/
|
*/
|
||||||
public DetachedSignatureCheck(PGPSignature signature, PGPKeyRing signingKeyRing, SubkeyIdentifier signingKeyIdentifier) {
|
public SignatureCheck(PGPSignature signature, PGPKeyRing signingKeyRing, SubkeyIdentifier signingKeyIdentifier) {
|
||||||
this.signature = signature;
|
this.signature = signature;
|
||||||
this.signingKeyRing = signingKeyRing;
|
this.signingKeyRing = signingKeyRing;
|
||||||
this.signingKeyIdentifier = signingKeyIdentifier;
|
this.signingKeyIdentifier = signingKeyIdentifier;
|
Loading…
Reference in a new issue