mirror of
https://github.com/pgpainless/pgpainless.git
synced 2025-12-10 14:21:09 +01:00
Refactoring
This commit is contained in:
parent
5a9b8a2c50
commit
8c3b694a71
GPG key ID:
62BEE9264BF17311
8 changed files with 94 additions and 91 deletions
|
|
@ -28,7 +28,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
|||
import org.bouncycastle.util.io.Streams;
|
||||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.signature.DetachedSignature;
|
||||
import org.pgpainless.signature.SignatureChainValidator;
|
||||
import org.pgpainless.signature.CertificateValidator;
|
||||
import org.pgpainless.exception.SignatureValidationException;
|
||||
import org.pgpainless.util.IntegrityProtectedInputStream;
|
||||
|
||||
|
|
@ -105,7 +105,7 @@ public class DecryptionStream extends InputStream {
|
|||
for (DetachedSignature s : resultBuilder.getDetachedSignatures()) {
|
||||
try {
|
||||
verifySignatureCreationTimeIsInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(s.getSignature());
|
||||
boolean verified = SignatureChainValidator.validateSignature(s.getSignature(), (PGPPublicKeyRing) s.getSigningKeyRing(), PGPainless.getPolicy());
|
||||
boolean verified = CertificateValidator.validateCertificateAndVerifyInitializedSignature(s.getSignature(), (PGPPublicKeyRing) s.getSigningKeyRing(), PGPainless.getPolicy());
|
||||
s.setVerified(verified);
|
||||
} catch (SignatureValidationException e) {
|
||||
LOGGER.log(Level.WARNING, "Could not verify signature of key " + s.getSigningKeyIdentifier(), e);
|
||||
|
|
|
|||
|
|
@ -20,21 +20,20 @@ import static org.pgpainless.signature.SignatureValidator.verifySignatureCreatio
|
|||
import java.io.FilterInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.security.SignatureException;
|
||||
import java.util.Map;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
import javax.annotation.Nonnull;
|
||||
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPObjectFactory;
|
||||
import org.bouncycastle.openpgp.PGPSignature;
|
||||
import org.bouncycastle.openpgp.PGPSignatureList;
|
||||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.exception.SignatureValidationException;
|
||||
import org.pgpainless.key.OpenPgpV4Fingerprint;
|
||||
import org.pgpainless.policy.Policy;
|
||||
import org.pgpainless.signature.OnePassSignature;
|
||||
import org.pgpainless.signature.SignatureChainValidator;
|
||||
import org.pgpainless.signature.CertificateValidator;
|
||||
|
||||
public class SignatureVerifyingInputStream extends FilterInputStream {
|
||||
|
||||
|
|
@ -103,7 +102,7 @@ public class SignatureVerifyingInputStream extends FilterInputStream {
|
|||
}
|
||||
|
||||
verifySignatureOrThrowSignatureException(signature, onePassSignature);
|
||||
} catch (PGPException | SignatureException e) {
|
||||
} catch (SignatureValidationException e) {
|
||||
LOGGER.log(LEVEL, "One-pass-signature verification failed for signature made by key " +
|
||||
Long.toHexString(signature.getKeyID()) + ": " + e.getMessage(), e);
|
||||
}
|
||||
|
|
@ -111,10 +110,10 @@ public class SignatureVerifyingInputStream extends FilterInputStream {
|
|||
}
|
||||
|
||||
private void verifySignatureOrThrowSignatureException(PGPSignature signature, OnePassSignature onePassSignature)
|
||||
throws PGPException, SignatureException {
|
||||
throws SignatureValidationException {
|
||||
Policy policy = PGPainless.getPolicy();
|
||||
verifySignatureCreationTimeIsInBounds(options.getVerifyNotBefore(), options.getVerifyNotAfter()).verify(signature);
|
||||
SignatureChainValidator.validateOnePassSignature(signature, onePassSignature, policy);
|
||||
CertificateValidator.validateCertificateAndVerifyOnePassSignature(signature, onePassSignature, policy);
|
||||
}
|
||||
|
||||
private OnePassSignature findOnePassSignature(OpenPgpV4Fingerprint fingerprint) {
|
||||
|
|
|
|||
|
|
@ -15,12 +15,9 @@
|
|||
*/
|
||||
package org.pgpainless.signature;
|
||||
|
||||
import static org.pgpainless.signature.SignatureValidator.signatureIsEffective;
|
||||
import static org.pgpainless.signature.SignatureValidator.signatureStructureIsAcceptable;
|
||||
import static org.pgpainless.signature.SignatureValidator.verifyWasPossiblyMadeByKey;
|
||||
import static org.pgpainless.signature.SignatureValidator.verifyOnePassSignature;
|
||||
|
||||
import java.io.InputStream;
|
||||
import java.security.SignatureException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.Date;
|
||||
|
|
@ -33,7 +30,6 @@ import java.util.logging.Logger;
|
|||
|
||||
import org.bouncycastle.bcpg.sig.KeyFlags;
|
||||
import org.bouncycastle.bcpg.sig.SignerUserID;
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
||||
import org.bouncycastle.openpgp.PGPSignature;
|
||||
|
|
@ -48,13 +44,13 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
|
|||
* Its responsibilities are checking if a signing key was eligible to create a certain signature
|
||||
* and if the signature is valid at the time of validation.
|
||||
*/
|
||||
public final class SignatureChainValidator {
|
||||
public final class CertificateValidator {
|
||||
|
||||
private SignatureChainValidator() {
|
||||
private CertificateValidator() {
|
||||
|
||||
}
|
||||
|
||||
private static final Logger LOGGER = Logger.getLogger(SignatureChainValidator.class.getName());
|
||||
private static final Logger LOGGER = Logger.getLogger(CertificateValidator.class.getName());
|
||||
|
||||
/**
|
||||
* Check if the signing key was eligible to create the provided signature.
|
||||
|
|
@ -71,7 +67,7 @@ public final class SignatureChainValidator {
|
|||
* @return true if the signing key was eligible to create the signature
|
||||
* @throws SignatureValidationException in case of a validation constraint violation
|
||||
*/
|
||||
public static boolean validateSigningKey(PGPSignature signature, PGPPublicKeyRing signingKeyRing, Policy policy)
|
||||
public static boolean validateCertificate(PGPSignature signature, PGPPublicKeyRing signingKeyRing, Policy policy)
|
||||
throws SignatureValidationException {
|
||||
|
||||
Map<PGPSignature, Exception> rejections = new ConcurrentHashMap<>();
|
||||
|
|
@ -240,13 +236,13 @@ public final class SignatureChainValidator {
|
|||
* @return true if the signature is valid, false otherwise
|
||||
* @throws SignatureValidationException for validation constraint violations
|
||||
*/
|
||||
public static boolean validateSignatureChain(PGPSignature signature,
|
||||
InputStream signedData,
|
||||
PGPPublicKeyRing signingKeyRing,
|
||||
Policy policy,
|
||||
Date validationDate)
|
||||
public static boolean validateCertificateAndVerifyUninitializedSignature(PGPSignature signature,
|
||||
InputStream signedData,
|
||||
PGPPublicKeyRing signingKeyRing,
|
||||
Policy policy,
|
||||
Date validationDate)
|
||||
throws SignatureValidationException {
|
||||
validateSigningKey(signature, signingKeyRing, policy);
|
||||
validateCertificate(signature, signingKeyRing, policy);
|
||||
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
||||
return SignatureValidator.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(keyId), policy, validationDate);
|
||||
}
|
||||
|
|
@ -261,34 +257,20 @@ public final class SignatureChainValidator {
|
|||
* @return true if the signature is valid, false otherwise
|
||||
* @throws SignatureValidationException in case of a validation constraint violation
|
||||
*/
|
||||
public static boolean validateSignature(PGPSignature signature, PGPPublicKeyRing verificationKeys, Policy policy)
|
||||
public static boolean validateCertificateAndVerifyInitializedSignature(PGPSignature signature, PGPPublicKeyRing verificationKeys, Policy policy)
|
||||
throws SignatureValidationException {
|
||||
validateSigningKey(signature, verificationKeys, policy);
|
||||
validateCertificate(signature, verificationKeys, policy);
|
||||
long keyId = SignatureUtils.determineIssuerKeyId(signature);
|
||||
PGPPublicKey signingKey = verificationKeys.getPublicKey(keyId);
|
||||
SignatureValidator.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
|
||||
return true;
|
||||
}
|
||||
|
||||
public static boolean validateOnePassSignature(PGPSignature signature, OnePassSignature onePassSignature, Policy policy) throws PGPException, SignatureException {
|
||||
public static boolean validateCertificateAndVerifyOnePassSignature(PGPSignature signature, OnePassSignature onePassSignature, Policy policy)
|
||||
throws SignatureValidationException {
|
||||
validateCertificate(signature, onePassSignature.getVerificationKeys(), policy);
|
||||
PGPPublicKey signingKey = onePassSignature.getVerificationKeys().getPublicKey(signature.getKeyID());
|
||||
try {
|
||||
verifyWasPossiblyMadeByKey(signingKey, signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective().verify(signature);
|
||||
} catch (SignatureValidationException e) {
|
||||
throw new SignatureException("Signature is not valid: " + e.getMessage(), e);
|
||||
}
|
||||
|
||||
try {
|
||||
validateSigningKey(signature, onePassSignature.getVerificationKeys(), policy);
|
||||
} catch (SignatureValidationException e) {
|
||||
throw new SignatureException("Signing key " + Long.toHexString(signingKey.getKeyID()) + " is not valid: " + e.getMessage(), e);
|
||||
}
|
||||
if (!onePassSignature.verify(signature)) {
|
||||
throw new SignatureException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
|
||||
}
|
||||
|
||||
verifyOnePassSignature(signature, signingKey, onePassSignature, policy);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
@ -83,8 +83,9 @@ public abstract class SignatureValidator {
|
|||
try {
|
||||
signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
|
||||
int read;
|
||||
while ((read = signedData.read()) != -1) {
|
||||
signature.update((byte) read);
|
||||
byte[] buf = new byte[8192];
|
||||
while ((read = signedData.read(buf)) != -1) {
|
||||
signature.update(buf, 0, read);
|
||||
}
|
||||
} catch (PGPException e) {
|
||||
throw new SignatureValidationException("Cannot init signature.", e);
|
||||
|
|
@ -121,6 +122,27 @@ public abstract class SignatureValidator {
|
|||
}
|
||||
}
|
||||
|
||||
public static boolean verifyOnePassSignature(PGPSignature signature, PGPPublicKey signingKey, OnePassSignature onePassSignature, Policy policy)
|
||||
throws SignatureValidationException {
|
||||
try {
|
||||
verifyWasPossiblyMadeByKey(signingKey, signature);
|
||||
signatureStructureIsAcceptable(signingKey, policy).verify(signature);
|
||||
signatureIsEffective().verify(signature);
|
||||
} catch (SignatureValidationException e) {
|
||||
throw new SignatureValidationException("Signature is not valid: " + e.getMessage(), e);
|
||||
}
|
||||
|
||||
try {
|
||||
if (!onePassSignature.verify(signature)) {
|
||||
throw new SignatureValidationException("Bad signature of key " + Long.toHexString(signingKey.getKeyID()));
|
||||
}
|
||||
} catch (PGPException e) {
|
||||
throw new SignatureValidationException("Could not verify correctness of One-Pass-Signature: " + e.getMessage(), e);
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a signature (certification or revocation) over a user-id.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ import org.bouncycastle.util.Strings;
|
|||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.exception.SignatureValidationException;
|
||||
import org.pgpainless.implementation.ImplementationFactory;
|
||||
import org.pgpainless.signature.SignatureChainValidator;
|
||||
import org.pgpainless.signature.CertificateValidator;
|
||||
import org.pgpainless.util.ArmoredInputStreamFactory;
|
||||
|
||||
/**
|
||||
|
|
@ -140,7 +140,7 @@ public class CleartextSignatureProcessor {
|
|||
}
|
||||
sigIn.close();
|
||||
|
||||
SignatureChainValidator.validateSignature(signature, signingKeyRing, PGPainless.getPolicy());
|
||||
CertificateValidator.validateCertificateAndVerifyInitializedSignature(signature, signingKeyRing, PGPainless.getPolicy());
|
||||
return signature;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue