PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-09-11 11:19:39 +02:00
Code Issues Releases Wiki Activity

Accept certification signatures using SHA-1 before 2023-02-01

Browse source 
This commit introduces a dedicated SignatureHashAlgorithmPolicy for certification signatures.
The default configuration will accept SHA-1 on sigs created before 2023-02-01.
This commit is contained in:
Paul Schaub 2024-01-04 18:20:09 +01:00
parent 5053221e93
commit de9a161252
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
8 changed files with 74 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

4
pgpainless-core/src/test/java/org/pgpainless/encryption_signing/SigningTest.java
View file

@ -207,7 +207,7 @@ public class SigningTest {
SubkeyIdentifier signingKey = sigs.keySet().iterator().next();
PGPSignature signature = sigs.get(signingKey).iterator().next();
assertEquals(PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(),
assertEquals(PGPainless.getPolicy().getDataSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(),
signature.getHashAlgorithm());
}
@ -237,7 +237,7 @@ public class SigningTest {
SubkeyIdentifier signingKey = sigs.keySet().iterator().next();
PGPSignature signature = sigs.get(signingKey).iterator().next();
assertEquals(PGPainless.getPolicy().getSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(),
assertEquals(PGPainless.getPolicy().getDataSignatureHashAlgorithmPolicy().defaultHashAlgorithm().getAlgorithmId(),
signature.getHashAlgorithm());
}

11
pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
View file

@ -43,7 +43,10 @@ public class ManagePolicy {
@AfterEach
public void resetPolicy() {
// Policy for hash algorithms in non-revocation signatures
PGPainless.getPolicy().setSignatureHashAlgorithmPolicy(
PGPainless.getPolicy().setCertificationSignatureHashAlgorithmPolicy(
Policy.HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy());
// Policy for hash algorithms in data signatures
PGPainless.getPolicy().setDataSignatureHashAlgorithmPolicy(
Policy.HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy());
// Policy for hash algorithms in revocation signatures
PGPainless.getPolicy().setRevocationSignatureHashAlgorithmPolicy(
@ -83,7 +86,7 @@ public class ManagePolicy {
// Get PGPainless' policy singleton
Policy policy = PGPainless.getPolicy();
Policy.HashAlgorithmPolicy sigHashAlgoPolicy = policy.getSignatureHashAlgorithmPolicy();
Policy.HashAlgorithmPolicy sigHashAlgoPolicy = policy.getDataSignatureHashAlgorithmPolicy();
assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512));
// Per default, non-revocation signatures using SHA-1 are rejected
assertFalse(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1));
@ -95,9 +98,9 @@ public class ManagePolicy {
// List of acceptable hash algorithms
Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224, HashAlgorithm.SHA1));
// Set the hash algo policy as policy for non-revocation signatures
policy.setSignatureHashAlgorithmPolicy(customPolicy);
policy.setDataSignatureHashAlgorithmPolicy(customPolicy);
sigHashAlgoPolicy = policy.getSignatureHashAlgorithmPolicy();
sigHashAlgoPolicy = policy.getDataSignatureHashAlgorithmPolicy();
assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512));
// SHA-1 is now acceptable as well
assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1));

10
pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java
View file

@ -16,9 +16,15 @@ import org.pgpainless.algorithm.PublicKeyAlgorithm;
public class PolicySetterTest {
@Test
public void testSetSignatureHashAlgorithmPolicy_NullFails() {
public void testSetCertificationSignatureHashAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setSignatureHashAlgorithmPolicy(null));
assertThrows(NullPointerException.class, () -> policy.setCertificationSignatureHashAlgorithmPolicy(null));
}
@Test
public void testSetDataSignatureHashAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setDataSignatureHashAlgorithmPolicy(null));
}
@Test

32
pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
View file

@ -44,7 +44,7 @@ public class PolicyTest {
sigHashAlgoMap.put(HashAlgorithm.SHA256, null);
sigHashAlgoMap.put(HashAlgorithm.SHA224, null);
sigHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
policy.setSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, sigHashAlgoMap));
policy.setCertificationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, sigHashAlgoMap));
Map<HashAlgorithm, Date> revHashAlgoMap = new HashMap<>();
revHashAlgoMap.put(HashAlgorithm.SHA512, null);
@ -107,40 +107,40 @@ public class PolicyTest {
@Test
public void testAcceptableSignatureHashAlgorithm() {
assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA512));
assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA512.getAlgorithmId()));
assertTrue(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA512));
assertTrue(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA512.getAlgorithmId()));
// Usage date before termination date -> acceptable
assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
assertTrue(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
assertTrue(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
}
@Test
public void testUnacceptableSignatureHashAlgorithm() {
assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1));
assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId()));
assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
assertFalse(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1));
assertFalse(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId()));
assertFalse(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
assertFalse(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
}
@Test
public void testDefaultSignatureHashAlgorithm() {
assertEquals(HashAlgorithm.SHA512, policy.getSignatureHashAlgorithmPolicy().defaultHashAlgorithm());
assertEquals(HashAlgorithm.SHA512, policy.getCertificationSignatureHashAlgorithmPolicy().defaultHashAlgorithm());
}
@Test
public void testAcceptableRevocationSignatureHashAlgorithm() {
assertTrue(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA384));
assertTrue(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA384.getAlgorithmId()));
assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
assertTrue(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
assertTrue(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
assertTrue(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2000-01-01 00:00:00 UTC")));
}
@Test
public void testUnacceptableRevocationSignatureHashAlgorithm() {
assertFalse(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.RIPEMD160));
assertFalse(policy.getRevocationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.RIPEMD160.getAlgorithmId()));
assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
assertFalse(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
assertFalse(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(HashAlgorithm.SHA1.getAlgorithmId(), DateUtil.parseUTCDate("2020-01-01 00:00:00 UTC")));
}
@Test
@ -181,8 +181,8 @@ public class PolicyTest {
@Test
public void testUnknownSignatureHashAlgorithmIsNotAcceptable() {
assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(-1));
assertFalse(policy.getSignatureHashAlgorithmPolicy().isAcceptable(-1, new Date()));
assertFalse(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(-1));
assertFalse(policy.getCertificationSignatureHashAlgorithmPolicy().isAcceptable(-1, new Date()));
}
@Test