Improve handling of signatures with missing issuerKeyId packets

2025-12-10 06:11:08 +01:00 · 2021-07-31 22:24:39 +02:00 · 2021-07-31 22:24:39 +02:00 · fb16db5db4
commit fb16db5db4
parent 311c842196
4 changed files with 109 additions and 7 deletions
--- a/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/decryption_verification/DecryptionStreamFactory.java
@ -66,6 +66,7 @@ import org.pgpainless.key.info.KeyRingInfo;
 import org.pgpainless.key.protection.UnlockSecretKey;
 import org.pgpainless.signature.DetachedSignature;
 import org.pgpainless.signature.OnePassSignature;
+import org.pgpainless.signature.SignatureUtils;
 import org.pgpainless.util.CRCingArmoredInputStreamWrapper;
 import org.pgpainless.util.IntegrityProtectedInputStream;
 import org.pgpainless.util.Passphrase;
@ -90,11 +91,12 @@ public final class DecryptionStreamFactory {
        this.options = options;

        for (PGPSignature signature : options.getDetachedSignatures()) {
-            PGPPublicKeyRing signingKeyRing = findSignatureVerificationKeyRing(signature.getKeyID());
+            long issuerKeyId = SignatureUtils.determineIssuerKeyId(signature);
+            PGPPublicKeyRing signingKeyRing = findSignatureVerificationKeyRing(issuerKeyId);
            if (signingKeyRing == null) {
                continue;
            }
-            PGPPublicKey signingKey = signingKeyRing.getPublicKey(signature.getKeyID());
+            PGPPublicKey signingKey = signingKeyRing.getPublicKey(issuerKeyId);
            SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(signingKeyRing, signingKey.getKeyID());
            try {
                signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signingKey);
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureChainValidator.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureChainValidator.java
@ -65,10 +65,10 @@ public class SignatureChainValidator {
            throws SignatureValidationException {

        Map<PGPSignature, Exception> rejections = new ConcurrentHashMap<>();
-
-        PGPPublicKey signingSubkey = signingKeyRing.getPublicKey(signature.getKeyID());
+        long keyId = SignatureUtils.determineIssuerKeyId(signature);
+        PGPPublicKey signingSubkey = signingKeyRing.getPublicKey(keyId);
        if (signingSubkey == null) {
-            throw new SignatureValidationException("Provided key ring does not contain a subkey with id " + Long.toHexString(signature.getKeyID()));
+            throw new SignatureValidationException("Provided key ring does not contain a subkey with id " + Long.toHexString(keyId));
        }

        PGPPublicKey primaryKey = signingKeyRing.getPublicKey();
@ -237,7 +237,8 @@ public class SignatureChainValidator {
                                                 Date validationDate)
            throws SignatureValidationException {
        validateSigningKey(signature, signingKeyRing, policy);
-        return SignatureValidator.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(signature.getKeyID()), policy, validationDate);
+        long keyId = SignatureUtils.determineIssuerKeyId(signature);
+        return SignatureValidator.verifyUninitializedSignature(signature, signedData, signingKeyRing.getPublicKey(keyId), policy, validationDate);
    }

    /**
@ -253,7 +254,8 @@ public class SignatureChainValidator {
    public static boolean validateSignature(PGPSignature signature, PGPPublicKeyRing verificationKeys, Policy policy)
            throws SignatureValidationException {
        validateSigningKey(signature, verificationKeys, policy);
-        PGPPublicKey signingKey = verificationKeys.getPublicKey(signature.getKeyID());
+        long keyId = SignatureUtils.determineIssuerKeyId(signature);
+        PGPPublicKey signingKey = verificationKeys.getPublicKey(keyId);
        SignatureValidator.verifyInitializedSignature(signature, signingKey, policy, signature.getCreationTime());
        return true;
    }
--- a/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
+++ b/pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
@ -23,6 +23,7 @@ import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;

+import org.bouncycastle.bcpg.sig.IssuerKeyID;
 import org.bouncycastle.bcpg.MarkerPacket;
 import org.bouncycastle.bcpg.sig.KeyExpirationTime;
 import org.bouncycastle.bcpg.sig.RevocationReason;
@ -42,6 +43,7 @@ import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.HashAlgorithm;
 import org.pgpainless.algorithm.SignatureType;
 import org.pgpainless.implementation.ImplementationFactory;
+import org.pgpainless.key.OpenPgpV4Fingerprint;
 import org.pgpainless.key.util.OpenPgpKeyAttributeUtil;
 import org.pgpainless.key.util.RevocationAttributes;
 import org.pgpainless.policy.Policy;
@ -227,6 +229,20 @@ public class SignatureUtils {
        return signatures;
    }

+    public static long determineIssuerKeyId(PGPSignature signature) {
+        IssuerKeyID issuerKeyId = SignatureSubpacketsUtil.getIssuerKeyId(signature);
+        OpenPgpV4Fingerprint fingerprint = SignatureSubpacketsUtil.getIssuerFingerprintAsOpenPgpV4Fingerprint(signature);
+        if (issuerKeyId != null && issuerKeyId.getKeyID() != 0) {
+            return issuerKeyId.getKeyID();
+        }
+        if (issuerKeyId == null) {
+            if (fingerprint != null) {
+                return fingerprint.getKeyId();
+            }
+        }
+        return 0;
+    }
+
    public static String getSignatureDigestPrefix(PGPSignature signature) {
        return Hex.toHexString(signature.getDigestPrefix());
    }