From 67af718db946501e9085e575ec17589ba6ccea1b Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 5 Mar 2025 10:57:06 +0100 Subject: [PATCH] Fix: Do not set IssuerKeyId on v6 key-signatures --- .../pgpainless/key/generation/KeyRingBuilder.kt | 2 +- .../subpackets/BaseSignatureSubpackets.kt | 13 +++++++++++++ .../signature/subpackets/SignatureSubpackets.kt | 16 ++++++++++++++-- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt index d2e32ce1..69b03dda 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt @@ -97,7 +97,7 @@ class KeyRingBuilder( val signatureGenerator = PGPSignatureGenerator(signer, certKey.publicKey) val hashedSubPacketGenerator = primaryKeySpec!!.subpacketGenerator - hashedSubPacketGenerator.setIssuerFingerprintAndKeyId(certKey.publicKey) + hashedSubPacketGenerator.setAppropriateIssuerInfo(certKey.publicKey, version) expirationDate?.let { hashedSubPacketGenerator.setKeyExpirationTime(certKey.publicKey, it) } if (userIds.isNotEmpty()) { hashedSubPacketGenerator.setPrimaryUserId() diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt index b9d7fb3f..f3e22faf 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/BaseSignatureSubpackets.kt @@ -11,12 +11,25 @@ import org.bouncycastle.bcpg.sig.* import org.bouncycastle.openpgp.PGPPublicKey import org.bouncycastle.openpgp.PGPSignature import org.pgpainless.algorithm.HashAlgorithm +import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.PublicKeyAlgorithm interface BaseSignatureSubpackets { interface Callback : SignatureSubpacketCallback + fun setAppropriateIssuerInfo(key: PGPPublicKey): BaseSignatureSubpackets + + /** + * Depending on the given [version], use the appropriate means of setting issuer information. + * V6 signatures for example MUST NOT contain an [IssuerKeyID] packet. + * + * @param key issuer key + * @param version signature version + * @return this + */ + fun setAppropriateIssuerInfo(key: PGPPublicKey, version: OpenPGPKeyVersion): BaseSignatureSubpackets + /** * Add both an [IssuerKeyID] and [IssuerFingerprint] subpacket pointing to the given key. * diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt index 886cedb6..d91b8659 100644 --- a/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt +++ b/pgpainless-core/src/main/kotlin/org/pgpainless/signature/subpackets/SignatureSubpackets.kt @@ -72,7 +72,7 @@ class SignatureSubpackets : issuer: PGPPublicKey, base: PGPSignatureSubpacketVector ): SignatureSubpackets { - return createSubpacketsFrom(base).apply { setIssuerFingerprintAndKeyId(issuer) } + return createSubpacketsFrom(base).apply { setAppropriateIssuerInfo(issuer) } } @JvmStatic @@ -82,7 +82,7 @@ class SignatureSubpackets : @JvmStatic fun createHashedSubpackets(issuer: PGPPublicKey): SignatureSubpackets { - return createEmptySubpackets().setIssuerFingerprintAndKeyId(issuer) + return createEmptySubpackets().setAppropriateIssuerInfo(issuer) } @JvmStatic @@ -352,6 +352,18 @@ class SignatureSubpackets : this.featuresSubpacket = features } + override fun setAppropriateIssuerInfo(key: PGPPublicKey) = apply { + setAppropriateIssuerInfo(key, OpenPGPKeyVersion.from(key.version)) + } + + override fun setAppropriateIssuerInfo(key: PGPPublicKey, version: OpenPGPKeyVersion) = apply { + when (version) { + OpenPGPKeyVersion.v3 -> setIssuerKeyId(key.keyID) + OpenPGPKeyVersion.v4 -> setIssuerFingerprintAndKeyId(key) + OpenPGPKeyVersion.librePgp, OpenPGPKeyVersion.v6 -> setIssuerFingerprint(key) + } + } + override fun setIssuerFingerprintAndKeyId(key: PGPPublicKey): SignatureSubpackets = apply { setIssuerKeyId(key.keyID) setIssuerFingerprint(key)