List of usage examples for org.bouncycastle.openpgp PGPSignature verifyCertification
public boolean verifyCertification(PGPPublicKey masterKey, PGPPublicKey pubKey) throws PGPException
From source file:com.google.e2e.bcdriver.KeyChecker.java
License:Apache License
private static final boolean isGoodSubkeySignature(PGPSignature sig, PGPPublicKey primary, PGPPublicKey subkey, StringBuilder errors) throws PGPException, SignatureException, IOException { sig.init(new BcPGPContentVerifierBuilderProvider(), primary); return sig.verifyCertification(primary, subkey) && isSignatureCurrent(sig, errors); }
From source file:com.google.e2e.bcdriver.KeyChecker.java
License:Apache License
private static final boolean isGoodBackSignature(PGPSignature sig, PGPPublicKey signer, PGPPublicKey target, StringBuilder errors) throws PGPException, SignatureException, IOException { SignatureSubpacket esigpack = null;/*ww w.j a va2s.c o m*/ // Prefer to get it from the hashed subpacket. PGPSignatureSubpacketVector svec = sig.getHashedSubPackets(); if (svec != null) { esigpack = svec.getSubpacket(SignatureSubpacketTags.EMBEDDED_SIGNATURE); } if (esigpack == null) { svec = sig.getUnhashedSubPackets(); if (svec != null) { esigpack = svec.getSubpacket(SignatureSubpacketTags.EMBEDDED_SIGNATURE); } } if (esigpack == null) { errors.append("Rejecting " + niceSig(sig) + " for subkey " + nicePk(target) + " because it doesn't have a cross-certification.\n" + "See https://www.gnupg.org/faq/subkey-cross-certify.html\n"); return false; } // Unfortunately, since PGPSignature(byte[]) is not public, we // have to go through this ugly contortion to get a signature. ByteArrayOutputStream baout = new ByteArrayOutputStream(); // dump out an old-style header. int hdr = 0x80 | (PacketTags.SIGNATURE << 2); int len = esigpack.getData().length; if (len <= 0xff) { baout.write(hdr); baout.write(len); } else if (len <= 0xffff) { baout.write(hdr | 0x01); baout.write((len >> 8) & 0xff); baout.write(len & 0xff); } else { baout.write(hdr | 0x02); baout.write((len >> 24) & 0xff); baout.write((len >> 16) & 0xff); baout.write((len >> 8) & 0xff); baout.write(len & 0xff); } baout.write(esigpack.getData()); baout.close(); PGPObjectFactory fact = new PGPObjectFactory(new ByteArrayInputStream(baout.toByteArray()), new BcKeyFingerprintCalculator()); Object obj = fact.nextObject(); if (!(obj instanceof PGPSignatureList)) { errors.append("Rejecting " + niceSig(sig) + " for subkey " + nicePk(target) + " because no usable embedded signature is available.\n"); return false; } PGPSignatureList esiglist = (PGPSignatureList) obj; if (esiglist.size() != 1) { errors.append("Rejecting " + niceSig(sig) + " for subkey " + nicePk(target) + " because no usable embedded signature is available.\n"); return false; } PGPSignature esig = esiglist.get(0); if (esig.getSignatureType() != PGPSignature.PRIMARYKEY_BINDING) { errors.append("Rejecting " + niceSig(sig) + " for subkey " + nicePk(target) + " because the embedded " + niceSig(esig) + " is not a proper backsignature.\n"); return false; } esig.init(new BcPGPContentVerifierBuilderProvider(), target); return esig.verifyCertification(signer, target) && isSignatureCurrent(esig, errors); }
From source file:com.google.e2e.bcdriver.KeyChecker.java
License:Apache License
private static final boolean isGoodUIDSignature(PGPSignature sig, PGPPublicKey masterpk, String uid, StringBuilder errors) throws PGPException, SignatureException, IOException { sig.init(new BcPGPContentVerifierBuilderProvider(), masterpk); if (!sig.verifyCertification(uid, masterpk)) { errors.append("Skipping certification " + niceSig(sig) + " for '" + uid + "' because the signature is invalid.\n"); return false; }// w ww . ja v a 2 s . c om return isSignatureCurrent(sig, errors); }
From source file:com.google.gerrit.gpg.GerritPublicKeyChecker.java
License:Apache License
private static boolean isValidCertification(PGPPublicKey key, PGPSignature sig, String userId) throws PGPException { if (sig.getSignatureType() != PGPSignature.DEFAULT_CERTIFICATION && sig.getSignatureType() != PGPSignature.POSITIVE_CERTIFICATION) { return false; }//from www .ja v a2s .c o m if (sig.getKeyID() != key.getKeyID()) { return false; } // TODO(dborowitz): Handle certification revocations: // - Is there a revocation by either this key or another key trusted by the // server? // - Does such a revocation postdate all other valid certifications? sig.init(new BcPGPContentVerifierBuilderProvider(), key); return sig.verifyCertification(userId, key); }
From source file:com.google.gerrit.gpg.PublicKeyStore.java
License:Apache License
/** * Choose the public key that produced a certification. * <p>// www . j a v a 2 s . co m * @param keyRings candidate keys. * @param sig signature object. * @param userId user ID being certified. * @param key key being certified. * @return the key chosen from {@code keyRings} that was able to verify the * certification, or null if none was found. * @throws PGPException if an error occurred verifying the certification. */ public static PGPPublicKey getSigner(Iterable<PGPPublicKeyRing> keyRings, PGPSignature sig, String userId, PGPPublicKey key) throws PGPException { for (PGPPublicKeyRing kr : keyRings) { PGPPublicKey k = kr.getPublicKey(); sig.init(new BcPGPContentVerifierBuilderProvider(), k); if (sig.verifyCertification(userId, key)) { return k; } } return null; }
From source file:org.kontalk.xmppserver.pgp.PGPUtils.java
License:Open Source License
private static boolean verifyUidSignature(PGPPublicKey publicKey, PGPSignature sig, PGPPublicKey signerKey, String uid) throws PGPException { sig.init(new BcPGPContentVerifierBuilderProvider(), signerKey); return sig.verifyCertification(uid, publicKey); }
From source file:org.sufficientlysecure.keychain.pgp.UncachedPublicKey.java
License:Open Source License
/** Returns the primary user id, as indicated by the public key's self certificates. * * This is an expensive operation, since potentially a lot of certificates (and revocations) * have to be checked, and even then the result is NOT guaranteed to be constant through a * canonicalization operation./* w w w .j a va 2s . c o m*/ * * Returns null if there is no primary user id (as indicated by certificates) * */ public String getPrimaryUserId() { byte[] found = null; PGPSignature foundSig = null; // noinspection unchecked for (byte[] rawUserId : new IterableIterator<byte[]>(mPublicKey.getRawUserIDs())) { PGPSignature revocation = null; @SuppressWarnings("unchecked") Iterator<PGPSignature> signaturesIt = mPublicKey.getSignaturesForID(rawUserId); // no signatures for this User ID if (signaturesIt == null) { continue; } for (PGPSignature sig : new IterableIterator<>(signaturesIt)) { try { // if this is a revocation, this is not the user id if (sig.getSignatureType() == PGPSignature.CERTIFICATION_REVOCATION) { // make sure it's actually valid sig.init(new JcaPGPContentVerifierBuilderProvider() .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME), mPublicKey); if (!sig.verifyCertification(rawUserId, mPublicKey)) { continue; } if (found != null && Arrays.equals(found, rawUserId)) { found = null; } revocation = sig; // this revocation may still be overridden by a newer cert continue; } if (sig.getHashedSubPackets() != null && sig.getHashedSubPackets().isPrimaryUserID()) { if (foundSig != null && sig.getCreationTime().before(foundSig.getCreationTime())) { continue; } // ignore if there is a newer revocation for this user id if (revocation != null && sig.getCreationTime().before(revocation.getCreationTime())) { continue; } // make sure it's actually valid sig.init(new JcaPGPContentVerifierBuilderProvider() .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME), mPublicKey); if (sig.verifyCertification(rawUserId, mPublicKey)) { found = rawUserId; foundSig = sig; // this one can't be relevant anymore at this point revocation = null; } } } catch (Exception e) { // nothing bad happens, the key is just not considered the primary key id } } } if (found != null) { return Utf8Util.fromUTF8ByteArrayReplaceBadEncoding(found); } else { return null; } }