From d65a26fbf5e937d154d9f59e0074e9314534e449 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Tue, 6 Jun 2023 11:00:44 +0200 Subject: [PATCH 1/4] Direct-Key signatures are calculated over the signee only, not the signer plus signee --- .../builder/ThirdPartyDirectKeySignatureBuilder.java | 6 +----- .../pgpainless/signature/consumer/SignatureValidator.java | 6 +++--- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.java b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.java index dd720bce..51a14052 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/builder/ThirdPartyDirectKeySignatureBuilder.java @@ -43,11 +43,7 @@ public class ThirdPartyDirectKeySignatureBuilder extends AbstractSignatureBuilde public PGPSignature build(PGPPublicKey key) throws PGPException { PGPSignatureGenerator signatureGenerator = buildAndInitSignatureGenerator(); - if (key.getKeyID() != publicSigningKey.getKeyID()) { - return signatureGenerator.generateCertification(publicSigningKey, key); - } else { - return signatureGenerator.generateCertification(key); - } + return signatureGenerator.generateCertification(key); } @Override diff --git a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java index cf0dc1fb..254b5d56 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java +++ b/pgpainless-core/src/main/java/org/pgpainless/signature/consumer/SignatureValidator.java @@ -539,10 +539,10 @@ public abstract class SignatureValidator { try { signature.init(ImplementationFactory.getInstance().getPGPContentVerifierBuilderProvider(), signer); boolean valid; - if (signer.getKeyID() != signee.getKeyID()) { - valid = signature.verifyCertification(signer, signee); - } else { + if (signer.getKeyID() == signee.getKeyID() || signature.getSignatureType() == PGPSignature.DIRECT_KEY) { valid = signature.verifyCertification(signee); + } else { + valid = signature.verifyCertification(signer, signee); } if (!valid) { throw new SignatureValidationException("Signature is not correct."); From 03dbd2f03f1c39dfd2ed5228f33d7e8a187fd4d3 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Thu, 8 Jun 2023 13:54:20 +0200 Subject: [PATCH 2/4] Fix faulty bit-strength policy check for signing subkeys --- .../java/org/pgpainless/encryption_signing/SigningOptions.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java index 0af07fc9..e481f490 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java +++ b/pgpainless-core/src/main/java/org/pgpainless/encryption_signing/SigningOptions.java @@ -379,7 +379,7 @@ public final class SigningOptions { SubkeyIdentifier signingKeyIdentifier = new SubkeyIdentifier(secretKey, signingSubkey.getKeyID()); PGPSecretKey signingSecretKey = secretKey.getSecretKey(signingSubkey.getKeyID()); PublicKeyAlgorithm publicKeyAlgorithm = PublicKeyAlgorithm.requireFromId(signingSecretKey.getPublicKey().getAlgorithm()); - int bitStrength = secretKey.getPublicKey().getBitStrength(); + int bitStrength = signingSecretKey.getPublicKey().getBitStrength(); if (!PGPainless.getPolicy().getPublicKeyAlgorithmPolicy().isAcceptable(publicKeyAlgorithm, bitStrength)) { throw new KeyException.UnacceptableSigningKeyException( new KeyException.PublicKeyAlgorithmPolicyException( From 23e6b6a35e703f3c78511b94f1efbe3822ad2140 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 10 Jun 2023 14:04:44 +0200 Subject: [PATCH 3/4] Update changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd7f3505..ca3f4253 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0 # PGPainless Changelog +# 1.4.5 +- Bugfix: Direct-Key signatures are calculated over the signee key only, not the signer key + signee key +- Security: Fix faulty bit-strength policy check for signing subkeys + ## 1.4.4 - Fix expectations on subpackets of v3 signatures (thanks @bjansen) - Properly verify v3 signatures, which do not yet have signature subpackets, yet we required them to have From af7da01497d4ede3c0287a9d688377f4f2ddcc11 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Sat, 10 Jun 2023 14:06:10 +0200 Subject: [PATCH 4/4] PGPainless 1.4.5 --- README.md | 2 +- pgpainless-sop/README.md | 4 ++-- version.gradle | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2a91789e..aeef03b9 100644 --- a/README.md +++ b/README.md @@ -191,7 +191,7 @@ repositories { } dependencies { - implementation 'org.pgpainless:pgpainless-core:1.4.4' + implementation 'org.pgpainless:pgpainless-core:1.4.5' } ``` diff --git a/pgpainless-sop/README.md b/pgpainless-sop/README.md index 3aef6d05..60617fa8 100644 --- a/pgpainless-sop/README.md +++ b/pgpainless-sop/README.md @@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your ... dependencies { ... - implementation "org.pgpainless:pgpainless-sop:1.4.4" + implementation "org.pgpainless:pgpainless-sop:1.4.5" ... } @@ -34,7 +34,7 @@ dependencies { org.pgpainless pgpainless-sop - 1.4.4 + 1.4.5 ... diff --git a/version.gradle b/version.gradle index 55e9b151..7f2c562c 100644 --- a/version.gradle +++ b/version.gradle @@ -5,7 +5,7 @@ allprojects { ext { shortVersion = '1.4.5' - isSnapshot = true + isSnapshot = false pgpainlessMinAndroidSdk = 10 javaSourceCompatibility = 1.8 bouncyCastleVersion = '1.72'