1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-26 22:32:07 +01:00

Do not attempt to verify signatures made by external keys using primary key.

This aims at fixing #266 in combination with #267.
This commit is contained in:
Paul Schaub 2022-04-05 14:10:04 +02:00
parent 0bce68d6ee
commit f6c6b9aded
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
4 changed files with 33 additions and 0 deletions

View file

@ -94,6 +94,10 @@ public final class KeyRingValidator {
List<PGPSignature> signatures = CollectionUtils.iteratorToList(userIdSigs);
Collections.sort(signatures, new SignatureCreationDateComparator(SignatureCreationDateComparator.Order.NEW_TO_OLD));
for (PGPSignature signature : signatures) {
if (signature.getKeyID() != primaryKey.getKeyID()) {
// Signature was not made by primary key
continue;
}
try {
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
if (SignatureVerifier.verifyUserIdRevocation(userId, signature, primaryKey, policy, validationDate)) {
@ -116,6 +120,10 @@ public final class KeyRingValidator {
Iterator<PGPSignature> userAttributeSignatureIterator = primaryKey.getSignaturesForUserAttribute(userAttribute);
while (userAttributeSignatureIterator.hasNext()) {
PGPSignature signature = userAttributeSignatureIterator.next();
if (signature.getKeyID() != primaryKey.getKeyID()) {
// Signature was not made by primary key
continue;
}
try {
if (SignatureType.valueOf(signature.getSignatureType()) == SignatureType.CERTIFICATION_REVOCATION) {
if (SignatureVerifier.verifyUserAttributesRevocation(userAttribute, signature, primaryKey, policy, validationDate)) {

View file

@ -72,6 +72,10 @@ public final class CertificateValidator {
Iterator<PGPSignature> primaryKeyRevocationIterator = primaryKey.getSignaturesOfType(SignatureType.KEY_REVOCATION.getCode());
while (primaryKeyRevocationIterator.hasNext()) {
PGPSignature revocation = primaryKeyRevocationIterator.next();
if (revocation.getKeyID() != primaryKey.getKeyID()) {
// Revocation was not made by primary key, skip
// TODO: What about external revocation keys?
}
try {
if (SignatureVerifier.verifyKeyRevocationSignature(revocation, primaryKey, policy, signature.getCreationTime())) {
directKeySignatures.add(revocation);
@ -86,6 +90,10 @@ public final class CertificateValidator {
Iterator<PGPSignature> keySignatures = primaryKey.getSignaturesOfType(SignatureType.DIRECT_KEY.getCode());
while (keySignatures.hasNext()) {
PGPSignature keySignature = keySignatures.next();
if (keySignature.getKeyID() != primaryKey.getKeyID()) {
// Signature was not made by primary key, skip
continue;
}
try {
if (SignatureVerifier.verifyDirectKeySignature(keySignature, primaryKey, policy, signature.getCreationTime())) {
directKeySignatures.add(keySignature);
@ -112,6 +120,10 @@ public final class CertificateValidator {
Iterator<PGPSignature> userIdSigs = primaryKey.getSignaturesForID(userId);
while (userIdSigs.hasNext()) {
PGPSignature userIdSig = userIdSigs.next();
if (userIdSig.getKeyID() != primaryKey.getKeyID()) {
// Sig was made by external key, skip
continue;
}
try {
if (SignatureVerifier.verifySignatureOverUserId(userId, userIdSig, primaryKey, policy, signature.getCreationTime())) {
signaturesOnUserId.add(userIdSig);
@ -168,6 +180,10 @@ public final class CertificateValidator {
Iterator<PGPSignature> bindingRevocations = signingSubkey.getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.getCode());
while (bindingRevocations.hasNext()) {
PGPSignature revocation = bindingRevocations.next();
if (revocation.getKeyID() != primaryKey.getKeyID()) {
// Subkey Revocation was not made by primary key, skip
continue;
}
try {
if (SignatureVerifier.verifySubkeyBindingRevocation(revocation, primaryKey, signingSubkey, policy, signature.getCreationTime())) {
subkeySigs.add(revocation);

View file

@ -209,10 +209,15 @@ public final class SignaturePicker {
Iterator<PGPSignature> userIdSigIterator = primaryKey.getSignaturesForID(userId);
List<PGPSignature> signatures = CollectionUtils.iteratorToList(userIdSigIterator);
Collections.sort(signatures, new SignatureCreationDateComparator());
PGPSignature mostRecentUserIdCertification = null;
for (PGPSignature signature : signatures) {
if (primaryKey.getKeyID() != signature.getKeyID()) {
// Signature not made by primary key
continue;
}
try {
SignatureVerifier.verifyUserIdCertification(userId, signature, primaryKey, policy, validationDate);
} catch (SignatureValidationException e) {

View file

@ -89,6 +89,7 @@ public final class SignatureVerifier {
*/
public static boolean verifyUserIdCertification(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureIsCertification().verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
@ -129,6 +130,7 @@ public final class SignatureVerifier {
*/
public static boolean verifyUserIdRevocation(String userId, PGPSignature signature, PGPPublicKey signingKey, PGPPublicKey keyWithUserId, Policy policy, Date validationDate)
throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
@ -174,6 +176,7 @@ public final class SignatureVerifier {
PGPPublicKey keyWithUserAttributes, Policy policy,
Date validationDate)
throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureIsCertification().verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);
@ -219,6 +222,7 @@ public final class SignatureVerifier {
PGPPublicKey keyWithUserAttributes, Policy policy,
Date validationDate)
throws SignatureValidationException {
SignatureValidator.wasPossiblyMadeByKey(signingKey).verify(signature);
SignatureValidator.signatureIsOfType(SignatureType.CERTIFICATION_REVOCATION).verify(signature);
SignatureValidator.signatureStructureIsAcceptable(signingKey, policy).verify(signature);
SignatureValidator.signatureIsEffective(validationDate).verify(signature);