Rework subkey-revocation using new signature subpackets api

2025-09-10 18:59:39 +02:00 · 2021-11-16 15:18:51 +01:00 · 2021-11-16 15:18:51 +01:00 · 24aebfaf63
commit 24aebfaf63
parent ab3ae15719
6 changed files with 254 additions and 114 deletions
--- a/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/key/modification/RevokeSubKeyTest.java
@ -4,14 +4,20 @@

 package org.pgpainless.key.modification;

+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;

 import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Iterator;

+import org.bouncycastle.bcpg.sig.IssuerFingerprint;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPSecretKey;
@ -21,6 +27,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.EncryptionPurpose;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.OpenPgpV4Fingerprint;
@ -29,6 +36,9 @@ import org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditorInterfac
 import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
 import org.pgpainless.key.protection.SecretKeyRingProtector;
 import org.pgpainless.key.util.RevocationAttributes;
+import org.pgpainless.signature.SignatureUtils;
+import org.pgpainless.signature.subpackets.RevocationSignatureSubpackets;
+import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
 import org.pgpainless.util.ArmorUtils;
 import org.pgpainless.util.Passphrase;

@ -123,4 +133,62 @@ public class RevokeSubKeyTest {
        RevocationAttributes.Reason reason = RevocationAttributes.Reason.KEY_COMPROMISED;
        assertEquals("2 - KEY_COMPROMISED", reason.toString());
    }
+
+    @Test
+    public void inspectSubpacketsOnDefaultRevocationSignature()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+        PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys)
+                .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0);
+
+        secretKeys = PGPainless.modifyKeyRing(secretKeys)
+                .revokeSubKey(encryptionSubkey.getKeyID(), protector)
+                .done();
+
+        encryptionSubkey = secretKeys.getPublicKey(encryptionSubkey.getKeyID());
+        PGPSignature revocation = encryptionSubkey.getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.getCode()).next();
+        assertNotNull(revocation);
+
+        assertArrayEquals(
+                secretKeys.getPublicKey().getFingerprint(),
+                revocation.getHashedSubPackets().getIssuerFingerprint().getFingerprint());
+        assertEquals(secretKeys.getPublicKey().getKeyID(),
+                revocation.getHashedSubPackets().getIssuerKeyID());
+        assertNull(SignatureSubpacketsUtil.getRevocationReason(revocation));
+        assertTrue(SignatureUtils.isHardRevocation(revocation));
+    }
+
+    @Test
+    public void inspectSubpacketsOnModifiedRevocationSignature()
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException {
+        PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        SecretKeyRingProtector protector = SecretKeyRingProtector.unprotectedKeys();
+        PGPPublicKey encryptionSubkey = PGPainless.inspectKeyRing(secretKeys)
+                .getEncryptionSubkeys(EncryptionPurpose.ANY).get(0);
+
+        secretKeys = PGPainless.modifyKeyRing(secretKeys)
+                .revokeSubKey(encryptionSubkey.getKeyID(), protector, new RevocationSignatureSubpackets.Callback() {
+                    @Override
+                    public void modifyHashedSubpackets(RevocationSignatureSubpackets hashedSubpackets) {
+                        hashedSubpackets.setRevocationReason(
+                                RevocationAttributes.createKeyRevocation()
+                                        .withReason(RevocationAttributes.Reason.KEY_RETIRED)
+                                        .withDescription("I have a new Key."));
+                        // override issuer-fingerprint with null to test nulling of subpackets
+                        hashedSubpackets.setIssuerFingerprint((IssuerFingerprint) null);
+                    }
+                })
+                .done();
+
+        encryptionSubkey = secretKeys.getPublicKey(encryptionSubkey.getKeyID());
+        PGPSignature revocation = encryptionSubkey.getSignaturesOfType(SignatureType.SUBKEY_REVOCATION.getCode()).next();
+        assertNotNull(revocation);
+
+        assertNull(revocation.getHashedSubPackets().getIssuerFingerprint());
+        assertEquals(secretKeys.getPublicKey().getKeyID(),
+                revocation.getHashedSubPackets().getIssuerKeyID());
+        assertNotNull(SignatureSubpacketsUtil.getRevocationReason(revocation));
+        assertFalse(SignatureUtils.isHardRevocation(revocation));
+    }
 }