PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-09-09 18:29:39 +02:00
Code Issues Releases Wiki Activity

Rework Policy to be immutable. Changes are now done by calling policy.copy().withXYZ().build()

Browse source
This commit is contained in:
Paul Schaub 2025-03-16 22:01:59 +01:00
parent abff76de38
commit e46e9fa1f5
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
9 changed files with 192 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

8
pgpainless-core/src/main/kotlin/org/pgpainless/PGPainless.kt
View file

@ -34,7 +34,7 @@ import org.pgpainless.util.ArmorUtils
class PGPainless( class PGPainless(
val implementation: OpenPGPImplementation = OpenPGPImplementation.getInstance(), val implementation: OpenPGPImplementation = OpenPGPImplementation.getInstance(),
val algorithmPolicy: Policy = Policy.getInstance() var algorithmPolicy: Policy = Policy.getInstance()
) { ) {
private var api: OpenPGPApi private var api: OpenPGPApi
@ -230,7 +230,11 @@ class PGPainless(
* *
* @return policy * @return policy
*/ */
@JvmStatic fun getPolicy() = getInstance().algorithmPolicy @Deprecated(
"Use PGPainless.getInstance().getAlgorithmPolicy() instead.",
replaceWith = ReplaceWith("getInstance().algorithmPolicy"))
@JvmStatic
fun getPolicy() = getInstance().algorithmPolicy
/** /**
* Create different kinds of signatures on other keys. * Create different kinds of signatures on other keys.

113
pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt
View file

@ -11,15 +11,16 @@ import org.pgpainless.util.DateUtil
import org.pgpainless.util.NotationRegistry import org.pgpainless.util.NotationRegistry
class Policy( class Policy(
var certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, val certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy,
var revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, val revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy,
var dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy, val dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy,
var symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, val symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy,
var symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, val symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy,
var compressionAlgorithmPolicy: CompressionAlgorithmPolicy, val compressionAlgorithmPolicy: CompressionAlgorithmPolicy,
var publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy, val publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy,
var keyProtectionSettings: KeyRingProtectionSettings, val keyProtectionSettings: KeyRingProtectionSettings,
var notationRegistry: NotationRegistry val notationRegistry: NotationRegistry,
val keyGenerationAlgorithmSuite: AlgorithmSuite
) { ) {
constructor() : constructor() :
@ -32,12 +33,14 @@ class Policy(
CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy(), CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy(),
PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy(), PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy(),
KeyRingProtectionSettings.secureDefaultSettings(), KeyRingProtectionSettings.secureDefaultSettings(),
NotationRegistry()) NotationRegistry(),
AlgorithmSuite.defaultAlgorithmSuite)
var keyGenerationAlgorithmSuite = AlgorithmSuite.defaultAlgorithmSuite
var signerUserIdValidationLevel = SignerUserIdValidationLevel.DISABLED var signerUserIdValidationLevel = SignerUserIdValidationLevel.DISABLED
var enableKeyParameterValidation = false var enableKeyParameterValidation = false
fun copy() = Builder(this)
fun isEnableKeyParameterValidation() = enableKeyParameterValidation fun isEnableKeyParameterValidation() = enableKeyParameterValidation
/** /**
@ -415,4 +418,92 @@ class Policy(
fun getInstance() = fun getInstance() =
INSTANCE ?: synchronized(this) { INSTANCE ?: Policy().also { INSTANCE = it } } INSTANCE ?: synchronized(this) { INSTANCE ?: Policy().also { INSTANCE = it } }
} }
class Builder(private val origin: Policy) {
private var certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy =
origin.certificationSignatureHashAlgorithmPolicy
private var revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy =
origin.revocationSignatureHashAlgorithmPolicy
private var dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy =
origin.dataSignatureHashAlgorithmPolicy
private var symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy =
origin.symmetricKeyEncryptionAlgorithmPolicy
private var symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy =
origin.symmetricKeyDecryptionAlgorithmPolicy
private var compressionAlgorithmPolicy: CompressionAlgorithmPolicy =
origin.compressionAlgorithmPolicy
private var publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy =
origin.publicKeyAlgorithmPolicy
private var keyProtectionSettings: KeyRingProtectionSettings = origin.keyProtectionSettings
private var notationRegistry: NotationRegistry = origin.notationRegistry
private var keyGenerationAlgorithmSuite: AlgorithmSuite = origin.keyGenerationAlgorithmSuite
fun withCertificationSignatureHashAlgorithmPolicy(
certificationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy
) = apply {
this.certificationSignatureHashAlgorithmPolicy =
certificationSignatureHashAlgorithmPolicy
}
fun withRevocationSignatureHashAlgorithmPolicy(
revocationSignatureHashAlgorithmPolicy: HashAlgorithmPolicy
) = apply {
this.revocationSignatureHashAlgorithmPolicy = revocationSignatureHashAlgorithmPolicy
}
fun withDataSignatureHashAlgorithmPolicy(
dataSignatureHashAlgorithmPolicy: HashAlgorithmPolicy
) = apply { this.dataSignatureHashAlgorithmPolicy = dataSignatureHashAlgorithmPolicy }
fun withSymmetricKeyEncryptionAlgorithmPolicy(
symmetricKeyEncryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy
) = apply {
this.symmetricKeyEncryptionAlgorithmPolicy = symmetricKeyEncryptionAlgorithmPolicy
}
fun withSymmetricKeyDecryptionAlgorithmPolicy(
symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy
) = apply {
this.symmetricKeyDecryptionAlgorithmPolicy = symmetricKeyDecryptionAlgorithmPolicy
}
fun withCompressionAlgorithmPolicy(compressionAlgorithmPolicy: CompressionAlgorithmPolicy) =
apply {
this.compressionAlgorithmPolicy = compressionAlgorithmPolicy
}
fun withPublicKeyAlgorithmPolicy(publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy) =
apply {
this.publicKeyAlgorithmPolicy = publicKeyAlgorithmPolicy
}
fun withKeyProtectionSettings(keyProtectionSettings: KeyRingProtectionSettings) = apply {
this.keyProtectionSettings = keyProtectionSettings
}
fun withNotationRegistry(notationRegistry: NotationRegistry) = apply {
this.notationRegistry = notationRegistry
}
fun withKeyGenerationAlgorithmSuite(keyGenerationAlgorithmSuite: AlgorithmSuite) = apply {
this.keyGenerationAlgorithmSuite = keyGenerationAlgorithmSuite
}
fun build() =
Policy(
certificationSignatureHashAlgorithmPolicy,
revocationSignatureHashAlgorithmPolicy,
dataSignatureHashAlgorithmPolicy,
symmetricKeyEncryptionAlgorithmPolicy,
symmetricKeyDecryptionAlgorithmPolicy,
compressionAlgorithmPolicy,
publicKeyAlgorithmPolicy,
keyProtectionSettings,
notationRegistry,
keyGenerationAlgorithmSuite)
.apply {
enableKeyParameterValidation = origin.enableKeyParameterValidation
signerUserIdValidationLevel = origin.signerUserIdValidationLevel
}
}
} }

5
pgpainless-core/src/test/java/org/pgpainless/encryption_signing/EncryptDecryptTest.java
View file

@ -59,10 +59,7 @@ public class EncryptDecryptTest {
@BeforeEach @BeforeEach
public void setDefaultPolicy() { public void setDefaultPolicy() {
PGPainless.getPolicy().setSymmetricKeyEncryptionAlgorithmPolicy( PGPainless.getInstance().setAlgorithmPolicy(new Policy());
Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyEncryptionPolicy2022());
PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy(
Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022());
} }
@TestTemplate @TestTemplate

69
pgpainless-core/src/test/java/org/pgpainless/example/ManagePolicy.java
View file

@ -25,13 +25,13 @@ import org.pgpainless.util.NotationRegistry;
* can be rejected. * can be rejected.
* Note, that PGPainless distinguishes between hash algorithms used in revocation and non-revocation signatures, * Note, that PGPainless distinguishes between hash algorithms used in revocation and non-revocation signatures,
* and has different policies for those. * and has different policies for those.
* * <p>
* Furthermore, PGPainless has policies for symmetric encryption algorithms (both for encrypting and decrypting), * Furthermore, PGPainless has policies for symmetric encryption algorithms (both for encrypting and decrypting),
* for public key algorithms and key lengths, as well as compression algorithms. * for public key algorithms and key lengths, as well as compression algorithms.
* * <p>
* The following examples show how these policies can be modified. * The following examples show how these policies can be modified.
* * <p>
* PGPainless' policy is being accessed by calling {@link PGPainless#getPolicy()}. * PGPainless' policy is being accessed by calling {@link PGPainless#getAlgorithmPolicy()}.
* Custom sub-policies can be set by calling the setter methods of {@link Policy}. * Custom sub-policies can be set by calling the setter methods of {@link Policy}.
*/ */
public class ManagePolicy { public class ManagePolicy {
@ -43,50 +43,29 @@ public class ManagePolicy {
@AfterEach @AfterEach
public void resetPolicy() { public void resetPolicy() {
// Policy for hash algorithms in non-revocation signatures // Policy for hash algorithms in non-revocation signatures
PGPainless.getPolicy().setCertificationSignatureHashAlgorithmPolicy( PGPainless.getInstance().setAlgorithmPolicy(new Policy());
Policy.HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy());
// Policy for hash algorithms in data signatures
PGPainless.getPolicy().setDataSignatureHashAlgorithmPolicy(
Policy.HashAlgorithmPolicy.static2022SignatureHashAlgorithmPolicy());
// Policy for hash algorithms in revocation signatures
PGPainless.getPolicy().setRevocationSignatureHashAlgorithmPolicy(
Policy.HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy());
// Policy for public key algorithms and bit lengths
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(
Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
// Policy for acceptable symmetric encryption algorithms when decrypting messages
PGPainless.getPolicy().setSymmetricKeyDecryptionAlgorithmPolicy(
Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022());
// Policy for acceptable symmetric encryption algorithms when encrypting messages
PGPainless.getPolicy().setSymmetricKeyEncryptionAlgorithmPolicy(
Policy.SymmetricKeyAlgorithmPolicy.symmetricKeyEncryptionPolicy2022());
// Policy for acceptable compression algorithms
PGPainless.getPolicy().setCompressionAlgorithmPolicy(
Policy.CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy());
// Known notations
PGPainless.getPolicy().getNotationRegistry().clear();
} }
/** /**
* {@link HashAlgorithm Hash Algorithms} may get outdated with time. {@link HashAlgorithm#SHA1} is a prominent * {@link HashAlgorithm Hash Algorithms} may get outdated with time. {@link HashAlgorithm#SHA1} is a prominent
* example for an algorithm that is nowadays considered unsafe to use and which shall be avoided. * example for an algorithm that is nowadays considered unsafe to use and which shall be avoided.
* * <p>
* PGPainless comes with a {@link Policy} class that defines which algorithms are trustworthy and acceptable. * PGPainless comes with a {@link Policy} class that defines which algorithms are trustworthy and acceptable.
* It also allows the user to specify a custom policy tailored to their needs. * It also allows the user to specify a custom policy tailored to their needs.
* * <p>
* Per default, PGPainless will reject non-revocation signatures that use SHA-1 as hash algorithm. * Per default, PGPainless will reject non-revocation signatures that use SHA-1 as hash algorithm.
* To inspect PGPainless' default signature hash algorithm policy, see * To inspect PGPainless' default signature hash algorithm policy, see
* {@link Policy.HashAlgorithmPolicy#static2022SignatureHashAlgorithmPolicy()}. * {@link Policy.HashAlgorithmPolicy#static2022SignatureHashAlgorithmPolicy()}.
* * <p>
* Since it may be a valid use-case to accept signatures made using SHA-1 as part of a less strict policy, * Since it may be a valid use-case to accept signatures made using SHA-1 as part of a less strict policy,
* this example demonstrates how to set a custom signature hash algorithm policy. * this example demonstrates how to set a custom signature hash algorithm policy.
*/ */
@Test @Test
public void setCustomSignatureHashPolicy() { public void setCustomSignatureHashPolicy() {
// Get PGPainless' policy singleton // Get PGPainless' policy
Policy policy = PGPainless.getPolicy(); Policy oldPolicy = PGPainless.getInstance().getAlgorithmPolicy();
Policy.HashAlgorithmPolicy sigHashAlgoPolicy = policy.getDataSignatureHashAlgorithmPolicy(); Policy.HashAlgorithmPolicy sigHashAlgoPolicy = oldPolicy.getDataSignatureHashAlgorithmPolicy();
assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512)); assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512));
// Per default, non-revocation signatures using SHA-1 are rejected // Per default, non-revocation signatures using SHA-1 are rejected
assertFalse(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1)); assertFalse(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1));
@ -98,12 +77,17 @@ public class ManagePolicy {
// List of acceptable hash algorithms // List of acceptable hash algorithms
Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224, HashAlgorithm.SHA1)); Arrays.asList(HashAlgorithm.SHA512, HashAlgorithm.SHA384, HashAlgorithm.SHA256, HashAlgorithm.SHA224, HashAlgorithm.SHA1));
// Set the hash algo policy as policy for non-revocation signatures // Set the hash algo policy as policy for non-revocation signatures
policy.setDataSignatureHashAlgorithmPolicy(customPolicy); PGPainless.getInstance().setAlgorithmPolicy(
oldPolicy.copy().withDataSignatureHashAlgorithmPolicy(customPolicy).build()
);
sigHashAlgoPolicy = policy.getDataSignatureHashAlgorithmPolicy(); sigHashAlgoPolicy = PGPainless.getInstance().getAlgorithmPolicy().getDataSignatureHashAlgorithmPolicy();
assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512)); assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA512));
// SHA-1 is now acceptable as well // SHA-1 is now acceptable as well
assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1)); assertTrue(sigHashAlgoPolicy.isAcceptable(HashAlgorithm.SHA1));
// reset old policy
PGPainless.getInstance().setAlgorithmPolicy(oldPolicy);
} }
/** /**
@ -111,13 +95,13 @@ public class ManagePolicy {
* Per default, PGPainless will reject signatures made by keys of unacceptable algorithm or length. * Per default, PGPainless will reject signatures made by keys of unacceptable algorithm or length.
* See {@link Policy.PublicKeyAlgorithmPolicy#bsi2021PublicKeyAlgorithmPolicy()} * See {@link Policy.PublicKeyAlgorithmPolicy#bsi2021PublicKeyAlgorithmPolicy()}
* to inspect PGPainless' defaults. * to inspect PGPainless' defaults.
* * <p>
* This example demonstrates how to set a custom public key algorithm policy. * This example demonstrates how to set a custom public key algorithm policy.
*/ */
@Test @Test
public void setCustomPublicKeyAlgorithmPolicy() { public void setCustomPublicKeyAlgorithmPolicy() {
Policy policy = PGPainless.getPolicy(); Policy oldPolicy = PGPainless.getInstance().getAlgorithmPolicy();
Policy.PublicKeyAlgorithmPolicy pkAlgorithmPolicy = policy.getPublicKeyAlgorithmPolicy(); Policy.PublicKeyAlgorithmPolicy pkAlgorithmPolicy = oldPolicy.getPublicKeyAlgorithmPolicy();
assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096)); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096));
assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 2048)); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 2048));
assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 1024)); assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 1024));
@ -131,27 +115,30 @@ public class ManagePolicy {
put(PublicKeyAlgorithm.RSA_GENERAL, 3000); put(PublicKeyAlgorithm.RSA_GENERAL, 3000);
}} }}
); );
policy.setPublicKeyAlgorithmPolicy(customPolicy); PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy().withPublicKeyAlgorithmPolicy(customPolicy).build());
pkAlgorithmPolicy = policy.getPublicKeyAlgorithmPolicy(); pkAlgorithmPolicy = PGPainless.getInstance().getAlgorithmPolicy().getPublicKeyAlgorithmPolicy();
assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096)); assertTrue(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 4096));
// RSA 2048 is no longer acceptable // RSA 2048 is no longer acceptable
assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 2048)); assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.RSA_GENERAL, 2048));
// ECDSA is no longer acceptable, since it is no longer included in the policy at all // ECDSA is no longer acceptable, since it is no longer included in the policy at all
assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.ECDSA, 256)); assertFalse(pkAlgorithmPolicy.isAcceptable(PublicKeyAlgorithm.ECDSA, 256));
// Reset policy
PGPainless.getInstance().setAlgorithmPolicy(oldPolicy);
} }
/** /**
* OpenPGP requires implementations to reject signatures which contain critical notation data subpackets * OpenPGP requires implementations to reject signatures which contain critical notation data subpackets
* which are not known to the implementation. * which are not known to the implementation.
* * <p>
* PGPainless allows the user to define which notations should be considered known notations. * PGPainless allows the user to define which notations should be considered known notations.
* The following example demonstrates how to mark the notation value 'unknown@pgpainless.org' as known, * The following example demonstrates how to mark the notation value 'unknown@pgpainless.org' as known,
* such that signatures containing a critical notation with that name are no longer being invalidated because of it. * such that signatures containing a critical notation with that name are no longer being invalidated because of it.
*/ */
@Test @Test
public void manageKnownNotations() { public void manageKnownNotations() {
Policy policy = PGPainless.getPolicy(); Policy policy = PGPainless.getInstance().getAlgorithmPolicy();
NotationRegistry notationRegistry = policy.getNotationRegistry(); NotationRegistry notationRegistry = policy.getNotationRegistry();
assertFalse(notationRegistry.isKnownNotation("unknown@pgpainless.org")); assertFalse(notationRegistry.isKnownNotation("unknown@pgpainless.org"));

16
pgpainless-core/src/test/java/org/pgpainless/key/generation/GeneratingWeakKeyThrowsTest.java
View file

@ -22,9 +22,7 @@ public class GeneratingWeakKeyThrowsTest {
@Test @Test
public void refuseToGenerateWeakPrimaryKeyTest() { public void refuseToGenerateWeakPrimaryKeyTest() {
// ensure we have default public key algorithm policy set // ensure we have default public key algorithm policy set
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( PGPainless.getInstance().setAlgorithmPolicy(new Policy());
Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
assertThrows(IllegalArgumentException.class, () -> assertThrows(IllegalArgumentException.class, () ->
PGPainless.buildKeyRing() PGPainless.buildKeyRing()
.setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._1024),
@ -34,8 +32,7 @@ public class GeneratingWeakKeyThrowsTest {
@Test @Test
public void refuseToAddWeakSubkeyDuringGenerationTest() { public void refuseToAddWeakSubkeyDuringGenerationTest() {
// ensure we have default public key algorithm policy set // ensure we have default public key algorithm policy set
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( PGPainless.getInstance().setAlgorithmPolicy(new Policy());
Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
KeyRingBuilder kb = PGPainless.buildKeyRing() KeyRingBuilder kb = PGPainless.buildKeyRing()
.setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096),
@ -52,8 +49,10 @@ public class GeneratingWeakKeyThrowsTest {
Map<PublicKeyAlgorithm, Integer> bitStrengths = new HashMap<>(); Map<PublicKeyAlgorithm, Integer> bitStrengths = new HashMap<>();
bitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 512); bitStrengths.put(PublicKeyAlgorithm.RSA_GENERAL, 512);
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( Policy oldPolicy = PGPainless.getPolicy();
new Policy.PublicKeyAlgorithmPolicy(bitStrengths)); PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy()
.withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(bitStrengths))
.build());
PGPainless.buildKeyRing() PGPainless.buildKeyRing()
.setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096), .setPrimaryKey(KeySpec.getBuilder(KeyType.RSA(RsaLength._4096),
@ -64,7 +63,6 @@ public class GeneratingWeakKeyThrowsTest {
.build(); .build();
// reset public key algorithm policy // reset public key algorithm policy
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy( PGPainless.getInstance().setAlgorithmPolicy(oldPolicy);
Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy());
} }
} }

15
pgpainless-core/src/test/java/org/pgpainless/key/modification/RefuseToAddWeakSubkeyTest.java
View file

@ -29,7 +29,11 @@ public class RefuseToAddWeakSubkeyTest {
@Test @Test
public void testEditorRefusesToAddWeakSubkey() { public void testEditorRefusesToAddWeakSubkey() {
// ensure default policy is set // ensure default policy is set
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); Policy oldPolicy = PGPainless.getPolicy();
Policy adjusted = oldPolicy.copy().withPublicKeyAlgorithmPolicy(
Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()
).build();
PGPainless.getInstance().setAlgorithmPolicy(adjusted);
PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing() PGPSecretKeyRing secretKeys = PGPainless.generateKeyRing()
.modernKeyRing("Alice") .modernKeyRing("Alice")
@ -39,6 +43,7 @@ public class RefuseToAddWeakSubkeyTest {
assertThrows(IllegalArgumentException.class, () -> assertThrows(IllegalArgumentException.class, () ->
editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys())); editor.addSubKey(spec, Passphrase.emptyPassphrase(), SecretKeyRingProtector.unprotectedKeys()));
PGPainless.getInstance().setAlgorithmPolicy(oldPolicy);
} }
@Test @Test
@ -47,6 +52,8 @@ public class RefuseToAddWeakSubkeyTest {
.modernKeyRing("Alice") .modernKeyRing("Alice")
.getPGPSecretKeyRing(); .getPGPSecretKeyRing();
Policy oldPolicy = PGPainless.getPolicy();
// set weak policy // set weak policy
Map<PublicKeyAlgorithm, Integer> minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class); Map<PublicKeyAlgorithm, Integer> minimalBitStrengths = new EnumMap<>(PublicKeyAlgorithm.class);
// §5.4.1 // §5.4.1
@ -68,7 +75,9 @@ public class RefuseToAddWeakSubkeyTest {
minimalBitStrengths.put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000); minimalBitStrengths.put(PublicKeyAlgorithm.DIFFIE_HELLMAN, 2000);
// §7.2.2 // §7.2.2
minimalBitStrengths.put(PublicKeyAlgorithm.ECDH, 250); minimalBitStrengths.put(PublicKeyAlgorithm.ECDH, 250);
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(minimalBitStrengths)); PGPainless.getInstance().setAlgorithmPolicy(oldPolicy.copy()
.withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(minimalBitStrengths))
.build());
SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys); SecretKeyRingEditorInterface editor = PGPainless.modifyKeyRing(secretKeys);
KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS) KeySpec spec = KeySpec.getBuilder(KeyType.RSA(RsaLength._1024), KeyFlag.ENCRYPT_COMMS)
@ -81,6 +90,6 @@ public class RefuseToAddWeakSubkeyTest {
assertEquals(2, PGPainless.inspectKeyRing(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size()); assertEquals(2, PGPainless.inspectKeyRing(secretKeys).getEncryptionSubkeys(EncryptionPurpose.ANY).size());
// reset default policy // reset default policy
PGPainless.getPolicy().setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); PGPainless.getInstance().setAlgorithmPolicy(oldPolicy);
} }
} }

16
pgpainless-core/src/test/java/org/pgpainless/policy/PolicySetterTest.java
View file

@ -18,43 +18,43 @@ public class PolicySetterTest {
@Test @Test
public void testSetCertificationSignatureHashAlgorithmPolicy_NullFails() { public void testSetCertificationSignatureHashAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance(); Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setCertificationSignatureHashAlgorithmPolicy(null)); assertThrows(NullPointerException.class, () -> policy.copy().withCertificationSignatureHashAlgorithmPolicy(null));
} }
@Test @Test
public void testSetDataSignatureHashAlgorithmPolicy_NullFails() { public void testSetDataSignatureHashAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance(); Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setDataSignatureHashAlgorithmPolicy(null)); assertThrows(NullPointerException.class, () -> policy.copy().withDataSignatureHashAlgorithmPolicy(null));
} }
@Test @Test
public void testSetRevocationSignatureHashAlgorithmPolicy_NullFails() { public void testSetRevocationSignatureHashAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance(); Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setRevocationSignatureHashAlgorithmPolicy(null)); assertThrows(NullPointerException.class, () -> policy.copy().withRevocationSignatureHashAlgorithmPolicy(null));
} }
@Test @Test
public void testSetSymmetricKeyEncryptionAlgorithmPolicy_NullFails() { public void testSetSymmetricKeyEncryptionAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance(); Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setSymmetricKeyEncryptionAlgorithmPolicy(null)); assertThrows(NullPointerException.class, () -> policy.copy().withSymmetricKeyEncryptionAlgorithmPolicy(null));
} }
@Test @Test
public void testSetSymmetricKeyDecryptionAlgorithmPolicy_NullFails() { public void testSetSymmetricKeyDecryptionAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance(); Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setSymmetricKeyDecryptionAlgorithmPolicy(null)); assertThrows(NullPointerException.class, () -> policy.copy().withSymmetricKeyDecryptionAlgorithmPolicy(null));
} }
@Test @Test
public void testSetCompressionAlgorithmPolicy_NullFails() { public void testSetCompressionAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance(); Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setCompressionAlgorithmPolicy(null)); assertThrows(NullPointerException.class, () -> policy.copy().withCompressionAlgorithmPolicy(null));
} }
@Test @Test
public void testSetPublicKeyAlgorithmPolicy_NullFails() { public void testSetPublicKeyAlgorithmPolicy_NullFails() {
Policy policy = Policy.getInstance(); Policy policy = Policy.getInstance();
assertThrows(NullPointerException.class, () -> policy.setPublicKeyAlgorithmPolicy(null)); assertThrows(NullPointerException.class, () -> policy.copy().withPublicKeyAlgorithmPolicy(null));
} }
@Test @Test
@ -62,7 +62,7 @@ public class PolicySetterTest {
Policy policy = new Policy(); Policy policy = new Policy();
Map<PublicKeyAlgorithm, Integer> acceptableAlgorithms = new HashMap<>(); Map<PublicKeyAlgorithm, Integer> acceptableAlgorithms = new HashMap<>();
acceptableAlgorithms.put(PublicKeyAlgorithm.RSA_GENERAL, 2000); acceptableAlgorithms.put(PublicKeyAlgorithm.RSA_GENERAL, 2000);
policy.setPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(acceptableAlgorithms)); policy = policy.copy().withPublicKeyAlgorithmPolicy(new Policy.PublicKeyAlgorithmPolicy(acceptableAlgorithms)).build();
// Policy does not contain ECDSA // Policy does not contain ECDSA
assertFalse(policy.getPublicKeyAlgorithmPolicy().isAcceptable(PublicKeyAlgorithm.ECDSA, 256)); assertFalse(policy.getPublicKeyAlgorithmPolicy().isAcceptable(PublicKeyAlgorithm.ECDSA, 256));

33
pgpainless-core/src/test/java/org/pgpainless/policy/PolicyTest.java
View file

@ -28,23 +28,12 @@ public class PolicyTest {
@BeforeAll @BeforeAll
public static void setup() { public static void setup() {
policy = new Policy();
policy.setCompressionAlgorithmPolicy(new Policy.CompressionAlgorithmPolicy(CompressionAlgorithm.UNCOMPRESSED,
Arrays.asList(CompressionAlgorithm.ZIP, CompressionAlgorithm.ZLIB, CompressionAlgorithm.UNCOMPRESSED)));
policy.setSymmetricKeyEncryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256,
Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128)));
policy.setSymmetricKeyDecryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256,
Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.BLOWFISH)));
Map<HashAlgorithm, Date> sigHashAlgoMap = new HashMap<>(); Map<HashAlgorithm, Date> sigHashAlgoMap = new HashMap<>();
sigHashAlgoMap.put(HashAlgorithm.SHA512, null); sigHashAlgoMap.put(HashAlgorithm.SHA512, null);
sigHashAlgoMap.put(HashAlgorithm.SHA384, null); sigHashAlgoMap.put(HashAlgorithm.SHA384, null);
sigHashAlgoMap.put(HashAlgorithm.SHA256, null); sigHashAlgoMap.put(HashAlgorithm.SHA256, null);
sigHashAlgoMap.put(HashAlgorithm.SHA224, null); sigHashAlgoMap.put(HashAlgorithm.SHA224, null);
sigHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC")); sigHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
policy.setCertificationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, sigHashAlgoMap));
Map<HashAlgorithm, Date> revHashAlgoMap = new HashMap<>(); Map<HashAlgorithm, Date> revHashAlgoMap = new HashMap<>();
revHashAlgoMap.put(HashAlgorithm.SHA512, null); revHashAlgoMap.put(HashAlgorithm.SHA512, null);
@ -53,10 +42,26 @@ public class PolicyTest {
revHashAlgoMap.put(HashAlgorithm.SHA224, null); revHashAlgoMap.put(HashAlgorithm.SHA224, null);
revHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC")); revHashAlgoMap.put(HashAlgorithm.SHA1, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
revHashAlgoMap.put(HashAlgorithm.RIPEMD160, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC")); revHashAlgoMap.put(HashAlgorithm.RIPEMD160, DateUtil.parseUTCDate("2013-02-01 00:00:00 UTC"));
policy.setRevocationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512,
revHashAlgoMap));
policy.setPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy()); policy = new Policy().copy()
.withCompressionAlgorithmPolicy(new Policy.CompressionAlgorithmPolicy(CompressionAlgorithm.UNCOMPRESSED,
Arrays.asList(CompressionAlgorithm.ZIP, CompressionAlgorithm.ZLIB, CompressionAlgorithm.UNCOMPRESSED)))
.withSymmetricKeyEncryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256,
Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128)))
.withSymmetricKeyDecryptionAlgorithmPolicy(new Policy.SymmetricKeyAlgorithmPolicy(SymmetricKeyAlgorithm.AES_256,
Arrays.asList(SymmetricKeyAlgorithm.AES_256, SymmetricKeyAlgorithm.AES_192, SymmetricKeyAlgorithm.AES_128, SymmetricKeyAlgorithm.BLOWFISH)))
.withCertificationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512, sigHashAlgoMap))
.withRevocationSignatureHashAlgorithmPolicy(new Policy.HashAlgorithmPolicy(HashAlgorithm.SHA512,
revHashAlgoMap))
.withPublicKeyAlgorithmPolicy(Policy.PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy())
.build();
} }
@Test @Test

11
pgpainless-sop/src/test/java/org/pgpainless/sop/VerifyLegacySignatureTest.java
View file

@ -134,8 +134,12 @@ public class VerifyLegacySignatureTest {
assertFalse(result.getResult().isEmpty()); assertFalse(result.getResult().isEmpty());
// Adjust data signature hash policy to accept new SHA-1 sigs // Adjust data signature hash policy to accept new SHA-1 sigs
PGPainless.getPolicy().setDataSignatureHashAlgorithmPolicy( Policy policy = PGPainless.getPolicy();
Policy.HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy()); Policy adjusted = policy.copy()
.withDataSignatureHashAlgorithmPolicy(
Policy.HashAlgorithmPolicy.static2022RevocationSignatureHashAlgorithmPolicy()
).build();
PGPainless.getInstance().setAlgorithmPolicy(adjusted);
// Sig generated in 2024 using SHA1 // Sig generated in 2024 using SHA1
String newSig = "-----BEGIN PGP MESSAGE-----\n" + String newSig = "-----BEGIN PGP MESSAGE-----\n" +
@ -160,5 +164,8 @@ public class VerifyLegacySignatureTest {
.toByteArrayAndResult(); .toByteArrayAndResult();
assertFalse(result.getResult().isEmpty()); assertFalse(result.getResult().isEmpty());
// Reset old policy
PGPainless.getInstance().setAlgorithmPolicy(policy);
} }
} }