List of usage examples for org.bouncycastle.openpgp PGPSignatureSubpacketVector getSubpacket
public SignatureSubpacket getSubpacket(int type)
From source file:com.google.e2e.bcdriver.KeyChecker.java
License:Apache License
private static final boolean isGoodBackSignature(PGPSignature sig, PGPPublicKey signer, PGPPublicKey target, StringBuilder errors) throws PGPException, SignatureException, IOException { SignatureSubpacket esigpack = null;/*from w w w.j av a 2 s. com*/ // Prefer to get it from the hashed subpacket. PGPSignatureSubpacketVector svec = sig.getHashedSubPackets(); if (svec != null) { esigpack = svec.getSubpacket(SignatureSubpacketTags.EMBEDDED_SIGNATURE); } if (esigpack == null) { svec = sig.getUnhashedSubPackets(); if (svec != null) { esigpack = svec.getSubpacket(SignatureSubpacketTags.EMBEDDED_SIGNATURE); } } if (esigpack == null) { errors.append("Rejecting " + niceSig(sig) + " for subkey " + nicePk(target) + " because it doesn't have a cross-certification.\n" + "See https://www.gnupg.org/faq/subkey-cross-certify.html\n"); return false; } // Unfortunately, since PGPSignature(byte[]) is not public, we // have to go through this ugly contortion to get a signature. ByteArrayOutputStream baout = new ByteArrayOutputStream(); // dump out an old-style header. int hdr = 0x80 | (PacketTags.SIGNATURE << 2); int len = esigpack.getData().length; if (len <= 0xff) { baout.write(hdr); baout.write(len); } else if (len <= 0xffff) { baout.write(hdr | 0x01); baout.write((len >> 8) & 0xff); baout.write(len & 0xff); } else { baout.write(hdr | 0x02); baout.write((len >> 24) & 0xff); baout.write((len >> 16) & 0xff); baout.write((len >> 8) & 0xff); baout.write(len & 0xff); } baout.write(esigpack.getData()); baout.close(); PGPObjectFactory fact = new PGPObjectFactory(new ByteArrayInputStream(baout.toByteArray()), new BcKeyFingerprintCalculator()); Object obj = fact.nextObject(); if (!(obj instanceof PGPSignatureList)) { errors.append("Rejecting " + niceSig(sig) + " for subkey " + nicePk(target) + " because no usable embedded signature is available.\n"); return false; } PGPSignatureList esiglist = (PGPSignatureList) obj; if (esiglist.size() != 1) { errors.append("Rejecting " + niceSig(sig) + " for subkey " + nicePk(target) + " because no usable embedded signature is available.\n"); return false; } PGPSignature esig = esiglist.get(0); if (esig.getSignatureType() != PGPSignature.PRIMARYKEY_BINDING) { errors.append("Rejecting " + niceSig(sig) + " for subkey " + nicePk(target) + " because the embedded " + niceSig(esig) + " is not a proper backsignature.\n"); return false; } esig.init(new BcPGPContentVerifierBuilderProvider(), target); return esig.verifyCertification(signer, target) && isSignatureCurrent(esig, errors); }
From source file:com.google.e2e.bcdriver.KeyChecker.java
License:Apache License
private static final long getSignatureTimestamp(PGPSignature sig, StringBuilder errors) { long ts = sig.getCreationTime().getTime(); // Work-around bouncycastle not indicating lack of timestamp as a // hashed subpacket. if (sig.getVersion() == 4) { // Make sure we actually have a timestamp packet in // the hashed section. PGPSignatureSubpacketVector svec = sig.getHashedSubPackets(); if (svec == null) { errors.append(niceSig(sig) + " is missing a creation timestamp.\n"); return -1L; }/*from w w w . j a va 2 s .c o m*/ SignatureCreationTime tspack = (SignatureCreationTime) svec .getSubpacket(SignatureSubpacketTags.CREATION_TIME); if (tspack == null) { errors.append(niceSig(sig) + " is missing a creation timestamp.\n"); return -1L; } ts = tspack.getTime().getTime(); } return ts; }
From source file:com.google.e2e.bcdriver.KeyChecker.java
License:Apache License
private static final boolean isSignatureCurrent(PGPSignature sig, StringBuilder errors) { long ts = getSignatureTimestamp(sig, errors); if (ts < 0) { return false; }/*from w ww. j av a 2 s . c om*/ // Timestamp should not be in the future. if (ts > (System.currentTimeMillis() + ACCEPTABLE_DELTA_MSEC)) { errors.append(niceSig(sig) + " in the future? (" + new Date(ts) + ")\n"); return false; } if (ts < 0) { errors.append(niceSig(sig) + " is negative? (" + ts + ")\n"); return false; } // Check if the signature or key has expired. PGPSignatureSubpacketVector svec = sig.getHashedSubPackets(); if (svec != null) { SignatureExpirationTime tspack = (SignatureExpirationTime) svec .getSubpacket(SignatureSubpacketTags.EXPIRE_TIME); if (tspack != null) { long expDelta = tspack.getTime() * 1000L; if (!acceptableInterval(sig, ts, expDelta, errors)) { return false; } } // If there's a key-expiration subpacket, also check that. KeyExpirationTime ket = (KeyExpirationTime) svec.getSubpacket(SignatureSubpacketTags.KEY_EXPIRE_TIME); if (ket != null) { long expDelta = ket.getTime() * 1000L; if (!acceptableInterval(sig, ts, expDelta, errors)) { return false; } } } return true; }
From source file:com.google.e2e.bcdriver.Util.java
License:Apache License
static final boolean hasKeyFlag(PGPSignature sig, int flag) { PGPSignatureSubpacketVector hashed = sig.getHashedSubPackets(); if (hashed == null) { return false; }//from w ww . j av a2 s.c om KeyFlags flags = (KeyFlags) hashed.getSubpacket(SignatureSubpacketTags.KEY_FLAGS); if (flags == null) { return false; } return ((flags.getFlags() & flag) != 0); }
From source file:org.sufficientlysecure.keychain.pgp.UncachedPublicKey.java
License:Open Source License
/** Get all key usage flags. * If at least one key flag subpacket is present return these. If no * subpacket is present it returns null. * * Note that this method has package visiblity because it is used in test * cases. Certificates of UncachedPublicKey instances can NOT be assumed to * be verified or even by the correct key, so the result of this method * should never be used in other places! *///from w w w. j a v a2s. c om @SuppressWarnings("unchecked") Integer getKeyUsage() { if (mCacheUsage == null) { PGPSignature mostRecentSig = null; for (PGPSignature sig : new IterableIterator<PGPSignature>(mPublicKey.getSignatures())) { if (mPublicKey.isMasterKey() && sig.getKeyID() != mPublicKey.getKeyID()) { continue; } switch (sig.getSignatureType()) { case PGPSignature.DEFAULT_CERTIFICATION: case PGPSignature.POSITIVE_CERTIFICATION: case PGPSignature.CASUAL_CERTIFICATION: case PGPSignature.NO_CERTIFICATION: case PGPSignature.SUBKEY_BINDING: break; // if this is not one of the above types, don't care default: continue; } // If we have no sig yet, take the first we can get if (mostRecentSig == null) { mostRecentSig = sig; continue; } // If the new sig is less recent, skip it if (mostRecentSig.getCreationTime().after(sig.getCreationTime())) { continue; } // Otherwise, note it down as the new "most recent" one mostRecentSig = sig; } // Initialize to 0 as cached but empty value, if there is no sig (can't happen // for canonicalized keyring), or there is no KEY_FLAGS packet in the sig mCacheUsage = 0; if (mostRecentSig != null) { // If a mostRecentSig has been found, (cache and) return its flags PGPSignatureSubpacketVector hashed = mostRecentSig.getHashedSubPackets(); if (hashed != null && hashed.getSubpacket(SignatureSubpacketTags.KEY_FLAGS) != null) { mCacheUsage = hashed.getKeyFlags(); } } } return mCacheUsage; }