Test and implement revocation of single userIDs

2025-12-10 14:21:09 +01:00 · 2021-01-22 18:28:48 +01:00 · 2021-01-22 18:28:48 +01:00 · ee1f90e850
commit ee1f90e850
parent c4d670821f
7 changed files with 313 additions and 58 deletions
--- a/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/info/KeyRingInfo.java
@ -177,8 +177,12 @@ public class KeyRingInfo {
    }

    public boolean isUserIdValid(String userId) {
+        return isUserIdValid(getKeyId(), userId);
+    }
+
+    public boolean isUserIdValid(long keyId, String userId) {
        try {
-            return SignatureUtils.isUserIdValid(getPublicKey(), userId);
+            return SignatureUtils.isUserIdValid(getPublicKey(keyId), userId);
        } catch (PGPException e) {
            return false;
        }
@ -308,17 +312,9 @@ public class KeyRingInfo {
        return true;
    }

-    public List<PGPSignature> getSelfSignatures() {
-        return getSelfSignatures(new OpenPgpV4Fingerprint(getPublicKey()));
-    }
-
-    public List<PGPSignature> getSelfSignatures(OpenPgpV4Fingerprint subkeyFingerprint) {
-        return getSelfSignatures(subkeyFingerprint.getKeyId());
-    }
-
-    public List<PGPSignature> getSelfSignatures(long subkeyId) {
+    public List<PGPSignature> getSelfSignaturesOnKey(long subkeyId) {
        PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subkeyId);
-        Iterator<PGPSignature> it = publicKey.getSignaturesForKeyID(subkeyId);
+        Iterator<PGPSignature> it = publicKey.getSignaturesForKeyID(keys.getPublicKey().getKeyID());
        List<PGPSignature> signatures = new ArrayList<>();
        while (it.hasNext()) {
            signatures.add(it.next());
@ -327,25 +323,25 @@ public class KeyRingInfo {
        return signatures;
    }

-    public PGPSignature getLatestValidSelfSignature() throws PGPException {
-        return getLatestValidSelfSignature(new OpenPgpV4Fingerprint(getPublicKey()));
+    public PGPSignature getLatestValidSelfSignatureOnKey() throws PGPException {
+        return getLatestValidSelfSignatureOnKey(new OpenPgpV4Fingerprint(getPublicKey()));
    }

-    public PGPSignature getLatestValidSelfSignature(OpenPgpV4Fingerprint fingerprint) throws PGPException {
-        return getLatestValidSelfSignature(fingerprint.getKeyId());
+    public PGPSignature getLatestValidSelfSignatureOnKey(OpenPgpV4Fingerprint fingerprint) throws PGPException {
+        return getLatestValidSelfSignatureOnKey(fingerprint.getKeyId());
    }

-    public PGPSignature getLatestValidSelfSignature(long subkeyId) throws PGPException {
+    public PGPSignature getLatestValidSelfSignatureOnKey(long subkeyId) throws PGPException {
        PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subkeyId);
-        List<PGPSignature> signatures = getSelfSignatures(subkeyId);
+        List<PGPSignature> signatures = getSelfSignaturesOnKey(keys.getPublicKey().getKeyID());
        return getLatestValidSignature(publicKey, signatures, keys);
    }

-    public List<PGPSignature> getBindingSignatures(OpenPgpV4Fingerprint fingerprint) {
-        return getBindingSignatures(fingerprint.getKeyId());
+    public List<PGPSignature> getBindingSignaturesOnKey(OpenPgpV4Fingerprint fingerprint) {
+        return getBindingSignaturesOnKey(fingerprint.getKeyId());
    }

-    public List<PGPSignature> getBindingSignatures(long subkeyId) {
+    public List<PGPSignature> getBindingSignaturesOnKey(long subkeyId) {
        if (subkeyId == getKeyId()) {
            return Collections.emptyList();
        }
@ -353,23 +349,19 @@ public class KeyRingInfo {
        return SignatureUtils.getBindingSignatures(publicKey, getKeyId());
    }

-    public PGPSignature getLatestValidBindingSignature(long subKeyID) throws PGPException {
+    public PGPSignature getLatestValidBindingSignatureOnKey(long subKeyID) throws PGPException {
        PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(keys, subKeyID);
-        List<PGPSignature> signatures = getBindingSignatures(subKeyID);
+        List<PGPSignature> signatures = getBindingSignaturesOnKey(subKeyID);
        return getLatestValidSignature(publicKey, signatures, keys);
    }

-    public PGPSignature getLatestValidSelfOrBindingSignature() throws PGPException {
-        return getLatestValidSelfOrBindingSignature(new OpenPgpV4Fingerprint(getPublicKey()));
+    public PGPSignature getLatestValidSelfOrBindingSignatureOnKey(OpenPgpV4Fingerprint fingerprint) throws PGPException {
+        return getLatestValidSelfOrBindingSignatureOnKey(fingerprint.getKeyId());
    }

-    public PGPSignature getLatestValidSelfOrBindingSignature(OpenPgpV4Fingerprint fingerprint) throws PGPException {
-        return getLatestValidSelfOrBindingSignature(fingerprint.getKeyId());
-    }
-
-    public PGPSignature getLatestValidSelfOrBindingSignature(long subKeyId) throws PGPException {
-        PGPSignature self = getLatestValidSelfSignature(subKeyId);
-        PGPSignature binding = getLatestValidBindingSignature(subKeyId);
+    public PGPSignature getLatestValidSelfOrBindingSignatureOnKey(long subKeyId) throws PGPException {
+        PGPSignature self = getLatestValidSelfSignatureOnKey(subKeyId);
+        PGPSignature binding = getLatestValidBindingSignatureOnKey(subKeyId);
        if (self == null) {
            return binding;
        }
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
@ -45,6 +45,7 @@ import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
 import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
 import org.bouncycastle.openpgp.operator.PGPDigestCalculator;
+import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
@ -52,6 +53,7 @@ import org.pgpainless.implementation.ImplementationFactory;
 import org.pgpainless.key.OpenPgpV4Fingerprint;
 import org.pgpainless.key.generation.KeyRingBuilder;
 import org.pgpainless.key.generation.KeySpec;
+import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.KeyRingProtectionSettings;
 import org.pgpainless.key.protection.PassphraseMapKeyRingProtector;
 import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
@ -288,6 +290,96 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
        return this;
    }

+    @Override
+    public SecretKeyRingEditorInterface revokeUserIdOnAllSubkeys(String userId,
+                                                                 SecretKeyRingProtector secretKeyRingProtector,
+                                                                 RevocationAttributes revocationAttributes)
+            throws PGPException {
+        Iterator<PGPPublicKey> iterator = secretKeyRing.getPublicKeys();
+        while (iterator.hasNext()) {
+            PGPPublicKey publicKey = iterator.next();
+            try {
+                revokeUserId(userId, new OpenPgpV4Fingerprint(publicKey), secretKeyRingProtector, revocationAttributes);
+            } catch (IllegalArgumentException | NoSuchElementException e) {
+                // skip
+            }
+        }
+        return this;
+    }
+
+    @Override
+    public SecretKeyRingEditorInterface revokeUserId(String userId,
+                                                     OpenPgpV4Fingerprint subkeyFingerprint,
+                                                     SecretKeyRingProtector secretKeyRingProtector,
+                                                     RevocationAttributes revocationAttributes)
+            throws PGPException {
+        PGPPublicKey publicKey = secretKeyRing.getPublicKey(subkeyFingerprint.getKeyId());
+        if (publicKey == null) {
+            throw new IllegalArgumentException("Key ring does not carry a public key with fingerprint " + subkeyFingerprint);
+        }
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        if (!info.getUserIds().contains(userId)) {
+            throw new NoSuchElementException("Key " + subkeyFingerprint + " does not carry userID '" + userId + '\'');
+        }
+
+        return doRevokeUserId(userId, subkeyFingerprint.getKeyId(), secretKeyRingProtector, revocationAttributes);
+    }
+
+    @Override
+    public SecretKeyRingEditorInterface revokeUserId(String userId,
+                                                     long subkeyId,
+                                                     SecretKeyRingProtector secretKeyRingProtector,
+                                                     RevocationAttributes revocationAttributes)
+            throws PGPException {
+        PGPPublicKey publicKey = secretKeyRing.getPublicKey(subkeyId);
+        if (publicKey == null) {
+            throw new IllegalArgumentException("Key ring does not carry a public key with ID " + Long.toHexString(subkeyId));
+        }
+
+        KeyRingInfo info = PGPainless.inspectKeyRing(secretKeyRing);
+        if (!info.getUserIds().contains(userId)) {
+            throw new NoSuchElementException("Key " + Long.toHexString(subkeyId) + " does not carry userID '" + userId + '\'');
+        }
+
+        return doRevokeUserId(userId, subkeyId, secretKeyRingProtector, revocationAttributes);
+    }
+
+    private SecretKeyRingEditorInterface doRevokeUserId(String userId,
+                                                        long subKeyId,
+                                                        SecretKeyRingProtector protector,
+                                                        RevocationAttributes revocationAttributes) throws PGPException {
+        PGPPublicKey publicKey = KeyRingUtils.requirePublicKeyFrom(secretKeyRing, subKeyId);
+        PGPSecretKey primaryKey = secretKeyRing.getSecretKey();
+        PGPPrivateKey privateKey = unlockSecretKey(primaryKey, protector);
+
+        PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator();
+        subpacketGenerator.setSignatureCreationTime(false, new Date());
+        subpacketGenerator.setRevocable(false, false);
+        subpacketGenerator.setIssuerFingerprint(false, primaryKey);
+        if (revocationAttributes != null) {
+            RevocationAttributes.Reason reason = revocationAttributes.getReason();
+            if (reason != RevocationAttributes.Reason.NO_REASON
+                    && reason != RevocationAttributes.Reason.USER_ID_NO_LONGER_VALID) {
+                throw new IllegalArgumentException("Revocation reason must either be NO_REASON or USER_ID_NO_LONGER_VALID");
+            }
+            subpacketGenerator.setRevocationReason(false, revocationAttributes.getReason().code(), revocationAttributes.getDescription());
+        }
+
+        PGPSignatureGenerator signatureGenerator = SignatureUtils.getSignatureGeneratorFor(primaryKey);
+        signatureGenerator.setHashedSubpackets(subpacketGenerator.generate());
+        signatureGenerator.init(SignatureType.CERTIFICATION_REVOCATION.getCode(), privateKey);
+
+        PGPSignature revocationSignature = signatureGenerator.generateCertification(userId, publicKey);
+        publicKey = PGPPublicKey.addCertification(publicKey, userId, revocationSignature);
+
+        PGPPublicKeyRing publicKeyRing = KeyRingUtils.publicKeyRingFrom(secretKeyRing);
+        publicKeyRing = PGPPublicKeyRing.insertPublicKey(publicKeyRing, publicKey);
+        secretKeyRing =  PGPSecretKeyRing.replacePublicKeys(secretKeyRing, publicKeyRing);
+
+        return this;
+    }
+
    @Override
    public SecretKeyRingEditorInterface setExpirationDate(Date expiration,
                                                          SecretKeyRingProtector secretKeyRingProtector)
--- a/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditorInterface.java
@ -198,6 +198,101 @@ public interface SecretKeyRingEditorInterface {
                                              RevocationAttributes revocationAttributes)
            throws PGPException;

+    /**
+     * Revoke the given userID on any key in the key ring that is currently carrying the userID.
+     *
+     * @param userId userId to revoke
+     * @param secretKeyRingProtector protector to unlock the primary key
+     * @return the builder
+     */
+    default SecretKeyRingEditorInterface revokeUserIdOnAllSubkeys(String userId,
+                                                                  SecretKeyRingProtector secretKeyRingProtector)
+            throws PGPException {
+        return revokeUserIdOnAllSubkeys(userId, secretKeyRingProtector, null);
+    }
+
+    /**
+     * Revoke the given userID on any key in the key ring that is currently carrying the userID.
+     *
+     * @param userId userId to revoke
+     * @param secretKeyRingProtector protector to unlock the primary key
+     * @param revocationAttributes reason for the revocation
+     * @return the builder
+     */
+    SecretKeyRingEditorInterface revokeUserIdOnAllSubkeys(String userId,
+                                                          SecretKeyRingProtector secretKeyRingProtector,
+                                                          RevocationAttributes revocationAttributes)
+            throws PGPException;
+
+    /**
+     * Revoke the given userID on the key that belongs to the given fingerprint.
+     *
+     * @param userId userId to revoke
+     * @param subkeyFingerprint fingerprint of the key on which the userID should be revoked
+     * @param secretKeyRingProtector protector to unlock the primary key
+     * @return the builder
+     */
+    default SecretKeyRingEditorInterface revokeUserId(String userId,
+                                                      OpenPgpV4Fingerprint subkeyFingerprint,
+                                                      SecretKeyRingProtector secretKeyRingProtector)
+            throws PGPException {
+        return revokeUserId(userId, subkeyFingerprint, secretKeyRingProtector, null);
+    }
+
+    /**
+     * Revoke the given userID on the key that belongs to the given fingerprint.
+     *
+     * @param userId userId to revoke
+     * @param subkeyFingerprint fingerprint of the key on which the userID should be revoked
+     * @param secretKeyRingProtector protector to unlock the primary key
+     * @param revocationAttributes reason for the revocation
+     * @return the builder
+     */
+    SecretKeyRingEditorInterface revokeUserId(String userId,
+                                              OpenPgpV4Fingerprint subkeyFingerprint,
+                                              SecretKeyRingProtector secretKeyRingProtector,
+                                              RevocationAttributes revocationAttributes)
+            throws PGPException;
+
+    /**
+     * Revoke the given userID on the key that belongs to the given key ID.
+     *
+     * @param userId userId to revoke
+     * @param subKeyId ID of the subkey on which we the userID should be revoked
+     * @param secretKeyRingProtector protector to unlock the primary key
+     * @return the builder
+     */
+    default SecretKeyRingEditorInterface revokeUserId(String userId,
+                                              long subKeyId,
+                                              SecretKeyRingProtector secretKeyRingProtector)
+            throws PGPException {
+        return revokeUserId(userId, subKeyId, secretKeyRingProtector, null);
+    }
+
+    /**
+     * Revoke the given userID on the key that belongs to the given key ID.
+     *
+     * @param userId userId to revoke
+     * @param subkeyId ID of the subkey on which we the userID should be revoked
+     * @param secretKeyRingProtector protector to unlock the primary key
+     * @param revocationAttributes reason for the revocation
+     * @return the builder
+     */
+    SecretKeyRingEditorInterface revokeUserId(String userId,
+                                              long subkeyId,
+                                              SecretKeyRingProtector secretKeyRingProtector,
+                                              RevocationAttributes revocationAttributes)
+            throws PGPException;
+
+    /**
+     * Set the expiration date for the primary key of the key ring.
+     * If the key is supposed to never expire, then an expiration date of null is expected.
+     *
+     * @param expiration new expiration date or null
+     * @param secretKeyRingProtector
+     * @return
+     * @throws PGPException
+     */
    SecretKeyRingEditorInterface setExpirationDate(Date expiration,
                                                   SecretKeyRingProtector secretKeyRingProtector)
            throws PGPException;
--- a/pgpainless-core/src/main/java/org/pgpainless/key/util/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/SignatureUtils.java
@ -116,16 +116,12 @@ public class SignatureUtils {
    }

    public static boolean isSelfSignatureValid(PGPSignature signature, PGPPublicKey publicKey) throws PGPException {
-        switch (signature.getSignatureType()) {
-            case PGPSignature.POSITIVE_CERTIFICATION:
-            case PGPSignature.DEFAULT_CERTIFICATION:
-                for (Iterator<String> it = publicKey.getUserIDs(); it.hasNext(); ) {
-                    String userId = it.next();
-                    boolean valid = isSelfSignatureOnUserIdValid(signature, userId, publicKey);
-                    if (valid) {
-                        return true;
-                    }
-                }
+        for (Iterator<String> it = publicKey.getUserIDs(); it.hasNext(); ) {
+            String userId = it.next();
+            boolean valid = isSelfSignatureOnUserIdValid(signature, userId, publicKey);
+            if (valid) {
+                return true;
+            }
        }
        return false;
    }