mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-23 03:17:58 +01:00
Do not attempt to verify signatures made by external keys using primary key.
This aims at fixing #266 in combination with #267.
This commit is contained in:
parent
0bce68d6ee
commit
f6c6b9aded
4 changed files with 33 additions and 0 deletions
|
@ -94,6 +94,10 @@ public final class KeyRingValidator {
|
|||
List<PGPSignature> signatures = CollectionUtils.iteratorToList(userIdSigs);
|
||||
Collections.sort(signatures, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
|
||||
for (PGPSignature signature : signatures) {
|
||||
if (signature.getKeyID() != primaryKey.getKeyID()) {
|
||||
// Signature was not made by primary key
|
||||
continue;
|
||||
}
|
||||
try {
|
||||
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
|
||||
if (SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
|
||||
|
@ -116,6 +120,10 @@ public final class KeyRingValidator {
|
|||
Iterator<PGPSignature> userAttributeSignatureIterator = primaryKey.getSignaturesForUserAttribute(userAttribute);
|
||||
while (userAttributeSignatureIterator.hasNext()) {
|
||||
PGPSignature signature = userAttributeSignatureIterator.next();
|
||||
if (signature.getKeyID() != primaryKey.getKeyID()) {
|
||||
// Signature was not made by primary key
|
||||
continue;
|
||||
}
|
||||
try {
|
||||
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
|
||||
if (SignatureVerifier.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {
|
||||
|
|
|
@ -72,6 +72,10 @@ public final class CertificateValidator {
|
|||
Iterator<PGPSignature> primaryKeyRevocationIterator = primaryKey.getSignaturesOfType(SignatureType.KEY_REVOCATION.getCode());
|
||||
while (primaryKeyRevocationIterator.hasNext()) {
|
||||
PGPSignature revocation = primaryKeyRevocationIterator.next();
|
||||
if (revocation.getKeyID() != primaryKey.getKeyID()) {
|
||||
// Revocation was not made by primary key, skip
|
||||
// TODO: What about external revocation keys?
|
||||
}
|
||||
try {
|
||||
if (SignatureVerifier.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) {
|
||||
directKeySignatures.add(revocation);
|
||||
|
@ -86,6 +90,10 @@ public final class CertificateValidator {
|
|||
Iterator<PGPSignature> keySignatures = primaryKey.getSignaturesOfType(SignatureType.DIRECT_KEY.getCode());
|
||||
while (keySignatures.hasNext()) {
|
||||
PGPSignature keySignature = keySignatures.next();
|
||||
if (keySignature.getKeyID() != primaryKey.getKeyID()) {
|
||||
// Signature was not made by primary key, skip
|
||||
continue;
|
||||
}
|
||||
try {
|
||||
if (SignatureVerifier.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) {
|
||||
directKeySignatures.add(keySignature);
|
||||
|
@ -112,6 +120,10 @@ public final class CertificateValidator {
|
|||
Iterator<PGPSignature> userIdSigs = primaryKey.getSignaturesForID(userId);
|
||||
while (userIdSigs.hasNext()) {
|
||||
PGPSignature userIdSig = userIdSigs.next();
|
||||
if (userIdSig.getKeyID() != primaryKey.getKeyID()) {
|
||||
// Sig was made by external key, skip
|
||||
continue;
|
||||
}
|
||||
try {
|
||||
if (SignatureVerifier.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) {
|
||||
signaturesOnUserId.add(userIdSig);
|
||||
|
@ -168,6 +180,10 @@ public final class CertificateValidator {
|
|||
Iterator<PGPSignature> bindingRevocations = signingSubkey.getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.getCode());
|
||||
while (bindingRevocations.hasNext()) {
|
||||
PGPSignature revocation = bindingRevocations.next();
|
||||
if (revocation.getKeyID() != primaryKey.getKeyID()) {
|
||||
// Subkey Revocation was not made by primary key, skip
|
||||
continue;
|
||||
}
|
||||
try {
|
||||
if (SignatureVerifier.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
|
||||
subkeySigs.add(revocation);
|
||||
|
|
|
@ -209,10 +209,15 @@ public final class SignaturePicker {
|
|||
|
||||
Iterator<PGPSignature> userIdSigIterator = primaryKey.getSignaturesForID(userId);
|
||||
List<PGPSignature> signatures = CollectionUtils.iteratorToList(userIdSigIterator);
|
||||
|
||||
Collections.sort(signatures, new SignatureCreationDateComparator());
|
||||
|
||||
PGPSignature mostRecentUserIdCertification = null;
|
||||
for (PGPSignature signature : signatures) {
|
||||
if (primaryKey.getKeyID() != signature.getKeyID()) {
|
||||
// Signature not made by primary key
|
||||
continue;
|
||||
}
|
||||
try {
|
||||
SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate);
|
||||
} catch (SignatureValidationException e) {
|
||||
|
|
|
@ -89,6 +89,7 @@ public final class SignatureVerifier {
|
|||
*/
|
||||
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
||||
SignatureValidator.signatureIsCertification().verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
|
@ -129,6 +130,7 @@ public final class SignatureVerifier {
|
|||
*/
|
||||
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
||||
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
|
@ -174,6 +176,7 @@ public final class SignatureVerifier {
|
|||
PGPPublicKey keyWithUserAttributes, Policy policy,
|
||||
Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
||||
SignatureValidator.signatureIsCertification().verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
|
@ -219,6 +222,7 @@ public final class SignatureVerifier {
|
|||
PGPPublicKey keyWithUserAttributes, Policy policy,
|
||||
Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
|
||||
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
|
||||
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
|
||||
|
|
Loading…
Reference in a new issue