diff options
6 files changed, 154 insertions, 27 deletions
diff --git a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/operations/CertifyOperationTest.java b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/operations/CertifyOperationTest.java index c05f4a029..0af87ada4 100644 --- a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/operations/CertifyOperationTest.java +++ b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/operations/CertifyOperationTest.java @@ -38,6 +38,7 @@ import org.sufficientlysecure.keychain.pgp.PgpKeyOperation; import org.sufficientlysecure.keychain.pgp.UncachedKeyRing; import org.sufficientlysecure.keychain.pgp.UncachedKeyRing.IteratorWithIOThrow; import org.sufficientlysecure.keychain.pgp.WrappedSignature; +import org.sufficientlysecure.keychain.pgp.WrappedUserAttribute; import org.sufficientlysecure.keychain.provider.KeychainContract.Certs; import org.sufficientlysecure.keychain.provider.ProviderHelper; import org.sufficientlysecure.keychain.service.CertifyActionsParcel; @@ -54,14 +55,15 @@ import java.io.ByteArrayOutputStream; import java.io.OutputStream; import java.io.PrintStream; import java.security.Security; +import java.util.ArrayList; import java.util.Iterator; +import java.util.Random; + @RunWith(RobolectricTestRunner.class) @org.robolectric.annotation.Config(emulateSdk = 18) // Robolectric doesn't yet support 19 public class CertifyOperationTest { - static String mPassphrase = TestingUtils.genPassphrase(true); - static UncachedKeyRing mStaticRing1, mStaticRing2; static String mKeyPhrase1 = TestingUtils.genPassphrase(true); static String mKeyPhrase2 = TestingUtils.genPassphrase(true); @@ -74,6 +76,8 @@ public class CertifyOperationTest { oldShadowStream = ShadowLog.stream; // ShadowLog.stream = System.out; + Random random = new Random(); + PgpKeyOperation op = new PgpKeyOperation(null); { @@ -102,8 +106,14 @@ public class CertifyOperationTest { Algorithm.DSA, 1024, null, KeyFlags.SIGN_DATA, 0L)); parcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( Algorithm.ELGAMAL, 1024, null, KeyFlags.ENCRYPT_COMMS, 0L)); + parcel.mAddUserIds.add("ditz"); - parcel.mNewUnlock = new ChangeUnlockParcel(null, "1234"); + byte[] uatdata = new byte[random.nextInt(150)+10]; + random.nextBytes(uatdata); + parcel.mAddUserAttribute.add( + WrappedUserAttribute.fromSubpacket(random.nextInt(100)+1, uatdata)); + + parcel.mNewUnlock = new ChangeUnlockParcel(mKeyPhrase2); PgpEditKeyResult result = op.createSecretKeyRing(parcel); Assert.assertTrue("initial test key creation must succeed", result.success()); @@ -140,7 +150,7 @@ public class CertifyOperationTest { } @Test - public void testCertify() throws Exception { + public void testCertifyId() throws Exception { CertifyOperation op = operationWithFakePassphraseCache( mStaticRing1.getMasterKeyId(), mStaticRing1.getMasterKeyId(), mKeyPhrase1); @@ -152,7 +162,8 @@ public class CertifyOperationTest { } CertifyActionsParcel actions = new CertifyActionsParcel(mStaticRing1.getMasterKeyId()); - actions.add(new CertifyAction(mStaticRing2.getMasterKeyId())); + actions.add(new CertifyAction(mStaticRing2.getMasterKeyId(), + mStaticRing2.getPublicKey().getUnorderedUserIds())); CertifyResult result = op.certify(actions, null); Assert.assertTrue("certification must succeed", result.success()); @@ -167,12 +178,42 @@ public class CertifyOperationTest { } @Test + public void testCertifyAttribute() throws Exception { + CertifyOperation op = operationWithFakePassphraseCache( + mStaticRing1.getMasterKeyId(), mStaticRing1.getMasterKeyId(), mKeyPhrase1); + + { + CanonicalizedPublicKeyRing ring = new ProviderHelper(Robolectric.application) + .getCanonicalizedPublicKeyRing(mStaticRing2.getMasterKeyId()); + Assert.assertEquals("public key must not be marked verified prior to certification", + Certs.UNVERIFIED, ring.getVerified()); + } + + CertifyActionsParcel actions = new CertifyActionsParcel(mStaticRing1.getMasterKeyId()); + actions.add(new CertifyAction(mStaticRing2.getMasterKeyId(), null, + mStaticRing2.getPublicKey().getUnorderedUserAttributes())); + CertifyResult result = op.certify(actions, null); + + Assert.assertTrue("certification must succeed", result.success()); + + { + CanonicalizedPublicKeyRing ring = new ProviderHelper(Robolectric.application) + .getCanonicalizedPublicKeyRing(mStaticRing2.getMasterKeyId()); + Assert.assertEquals("new key must be verified now", + Certs.VERIFIED_SECRET, ring.getVerified()); + } + + } + + + @Test public void testCertifySelf() throws Exception { CertifyOperation op = operationWithFakePassphraseCache( mStaticRing1.getMasterKeyId(), mStaticRing1.getMasterKeyId(), mKeyPhrase1); CertifyActionsParcel actions = new CertifyActionsParcel(mStaticRing1.getMasterKeyId()); - actions.add(new CertifyAction(mStaticRing1.getMasterKeyId())); + actions.add(new CertifyAction(mStaticRing1.getMasterKeyId(), + mStaticRing2.getPublicKey().getUnorderedUserIds())); CertifyResult result = op.certify(actions, null); @@ -188,7 +229,9 @@ public class CertifyOperationTest { { CertifyActionsParcel actions = new CertifyActionsParcel(mStaticRing1.getMasterKeyId()); - actions.add(new CertifyAction(1234L)); + ArrayList<String> uids = new ArrayList<String>(); + uids.add("nonexistent"); + actions.add(new CertifyAction(1234L, uids)); CertifyResult result = op.certify(actions, null); @@ -199,7 +242,8 @@ public class CertifyOperationTest { { CertifyActionsParcel actions = new CertifyActionsParcel(1234L); - actions.add(new CertifyAction(mStaticRing1.getMasterKeyId())); + actions.add(new CertifyAction(mStaticRing1.getMasterKeyId(), + mStaticRing2.getPublicKey().getUnorderedUserIds())); CertifyResult result = op.certify(actions, null); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/CertifyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/CertifyOperation.java index 025f45f7f..2e9551826 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/CertifyOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/CertifyOperation.java @@ -101,18 +101,26 @@ public class CertifyOperation extends BaseOperation { continue; } - if (action.mUserIds == null) { - log.add(LogType.MSG_CRT_CERTIFY_ALL, 2, - KeyFormattingUtils.convertKeyIdToHex(action.mMasterKeyId)); - } else { - log.add(LogType.MSG_CRT_CERTIFY_SOME, 2, action.mUserIds.size(), + CanonicalizedPublicKeyRing publicRing = + mProviderHelper.getCanonicalizedPublicKeyRing(action.mMasterKeyId); + + UncachedKeyRing certifiedKey = null; + if (action.mUserIds != null) { + log.add(LogType.MSG_CRT_CERTIFY_UIDS, 2, action.mUserIds.size(), KeyFormattingUtils.convertKeyIdToHex(action.mMasterKeyId)); + + certifiedKey = certificationKey.certifyUserIds( + publicRing, action.mUserIds, null, null); } - CanonicalizedPublicKeyRing publicRing = - mProviderHelper.getCanonicalizedPublicKeyRing(action.mMasterKeyId); + if (action.mUserAttributes != null) { + log.add(LogType.MSG_CRT_CERTIFY_UATS, 2, action.mUserAttributes.size(), + KeyFormattingUtils.convertKeyIdToHex(action.mMasterKeyId)); + + certifiedKey = certificationKey.certifyUserAttributes( + publicRing, action.mUserAttributes, null, null); + } - UncachedKeyRing certifiedKey = certificationKey.certifyUserIds(publicRing, action.mUserIds, null, null); if (certifiedKey == null) { certifyError += 1; log.add(LogType.MSG_CRT_WARN_CERT_FAILED, 3); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java index a96cec8cf..068e314d5 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java @@ -691,8 +691,8 @@ public abstract class OperationResult implements Parcelable { MSG_PSE_SYMMETRIC (LogLevel.INFO, R.string.msg_pse_symmetric), MSG_CRT_CERTIFYING (LogLevel.DEBUG, R.string.msg_crt_certifying), - MSG_CRT_CERTIFY_ALL (LogLevel.DEBUG, R.string.msg_crt_certify_all), - MSG_CRT_CERTIFY_SOME (LogLevel.DEBUG, R.plurals.msg_crt_certify_some), + MSG_CRT_CERTIFY_UIDS (LogLevel.DEBUG, R.plurals.msg_crt_certify_uids), + MSG_CRT_CERTIFY_UATS (LogLevel.DEBUG, R.plurals.msg_crt_certify_uats), MSG_CRT_ERROR_SELF (LogLevel.ERROR, R.string.msg_crt_error_self), MSG_CRT_ERROR_MASTER_NOT_FOUND (LogLevel.ERROR, R.string.msg_crt_error_master_not_found), MSG_CRT_ERROR_NOTHING (LogLevel.ERROR, R.string.msg_crt_error_nothing), diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java index fe5db8c6d..c3fccc789 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java @@ -30,6 +30,7 @@ import org.spongycastle.openpgp.PGPSignature; import org.spongycastle.openpgp.PGPSignatureGenerator; import org.spongycastle.openpgp.PGPSignatureSubpacketGenerator; import org.spongycastle.openpgp.PGPSignatureSubpacketVector; +import org.spongycastle.openpgp.PGPUserAttributeSubpacketVector; import org.spongycastle.openpgp.PGPUtil; import org.spongycastle.openpgp.operator.PBESecretKeyDecryptor; import org.spongycastle.openpgp.operator.PGPContentSignerBuilder; @@ -268,7 +269,7 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey { * Certify the given pubkeyid with the given masterkeyid. * * @param publicKeyRing Keyring to add certification to. - * @param userIds User IDs to certify, or all if null + * @param userIds User IDs to certify * @return A keyring with added certifications */ public UncachedKeyRing certifyUserIds(CanonicalizedPublicKeyRing publicKeyRing, List<String> userIds, @@ -313,10 +314,8 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey { PGPPublicKey publicKey = publicKeyRing.getPublicKey().getPublicKey(); // fetch public key ring, add the certification and return it - Iterable<String> it = userIds != null ? userIds - : new IterableIterator<String>(publicKey.getUserIDs()); try { - for (String userId : it) { + for (String userId : userIds) { PGPSignature sig = signatureGenerator.generateCertification(userId, publicKey); publicKey = PGPPublicKey.addCertification(publicKey, userId, sig); } @@ -330,6 +329,71 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey { return new UncachedKeyRing(ring); } + /** + * Certify the given user attributes with the given masterkeyid. + * + * @param publicKeyRing Keyring to add certification to. + * @param userAttributes User IDs to certify, or all if null + * @return A keyring with added certifications + */ + public UncachedKeyRing certifyUserAttributes(CanonicalizedPublicKeyRing publicKeyRing, + List<WrappedUserAttribute> userAttributes, byte[] nfcSignedHash, Date nfcCreationTimestamp) { + if (mPrivateKeyState == PRIVATE_KEY_STATE_LOCKED) { + throw new PrivateKeyNotUnlockedException(); + } + if (!isMasterKey()) { + throw new AssertionError("tried to certify with non-master key, this is a programming error!"); + } + if (publicKeyRing.getMasterKeyId() == getKeyId()) { + throw new AssertionError("key tried to self-certify, this is a programming error!"); + } + + // create a signatureGenerator from the supplied masterKeyId and passphrase + PGPSignatureGenerator signatureGenerator; + { + // TODO: SHA256 fixed? + PGPContentSignerBuilder contentSignerBuilder = getContentSignerBuilder(PGPUtil.SHA256, + nfcSignedHash, nfcCreationTimestamp); + + signatureGenerator = new PGPSignatureGenerator(contentSignerBuilder); + try { + signatureGenerator.init(PGPSignature.DEFAULT_CERTIFICATION, mPrivateKey); + } catch (PGPException e) { + Log.e(Constants.TAG, "signing error", e); + return null; + } + } + + { // supply signatureGenerator with a SubpacketVector + PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator(); + if (nfcCreationTimestamp != null) { + spGen.setSignatureCreationTime(false, nfcCreationTimestamp); + Log.d(Constants.TAG, "For NFC: set sig creation time to " + nfcCreationTimestamp); + } + PGPSignatureSubpacketVector packetVector = spGen.generate(); + signatureGenerator.setHashedSubpackets(packetVector); + } + + // get the master subkey (which we certify for) + PGPPublicKey publicKey = publicKeyRing.getPublicKey().getPublicKey(); + + // fetch public key ring, add the certification and return it + try { + for (WrappedUserAttribute userAttribute : userAttributes) { + PGPUserAttributeSubpacketVector vector = userAttribute.getVector(); + PGPSignature sig = signatureGenerator.generateCertification(vector, publicKey); + publicKey = PGPPublicKey.addCertification(publicKey, vector, sig); + } + } catch (PGPException e) { + Log.e(Constants.TAG, "signing error", e); + return null; + } + + PGPPublicKeyRing ring = PGPPublicKeyRing.insertPublicKey(publicKeyRing.getRing(), publicKey); + + return new UncachedKeyRing(ring); + } + static class PrivateKeyNotUnlockedException extends RuntimeException { // this exception is a programming error which happens when an operation which requires // the private key is called without a previous call to unlock() diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/CertifyActionsParcel.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/CertifyActionsParcel.java index f0dbf0820..f4b941109 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/CertifyActionsParcel.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/CertifyActionsParcel.java @@ -24,6 +24,9 @@ import android.os.Parcelable; import java.io.Serializable; import java.util.ArrayList; +import org.sufficientlysecure.keychain.pgp.WrappedUserAttribute; + + /** * This class is a a transferable representation for a number of keyrings to * be certified. @@ -76,14 +79,19 @@ public class CertifyActionsParcel implements Parcelable { final public long mMasterKeyId; final public ArrayList<String> mUserIds; + final public ArrayList<WrappedUserAttribute> mUserAttributes; - public CertifyAction(long masterKeyId) { - this(masterKeyId, null); + public CertifyAction(long masterKeyId, ArrayList<String> userIds) { + mMasterKeyId = masterKeyId; + mUserIds = userIds; + mUserAttributes = null; } - public CertifyAction(long masterKeyId, ArrayList<String> userIds) { + public CertifyAction(long masterKeyId, ArrayList<String> userIds, + ArrayList<WrappedUserAttribute> attributes) { mMasterKeyId = masterKeyId; mUserIds = userIds; + mUserAttributes = attributes; } } diff --git a/OpenKeychain/src/main/res/values/strings.xml b/OpenKeychain/src/main/res/values/strings.xml index d9460882c..051383a36 100644 --- a/OpenKeychain/src/main/res/values/strings.xml +++ b/OpenKeychain/src/main/res/values/strings.xml @@ -1071,11 +1071,14 @@ <string name="msg_pse_symmetric">"Preparing symmetric encryption"</string> <string name="msg_crt_certifying">"Generating certifications"</string> - <string name="msg_crt_certify_all">"Certifying all user IDs for key %s"</string> - <plurals name="msg_crt_certify_some"> + <plurals name="msg_crt_certify_uids"> <item quantity="one">"Certifying one user ID for key %2$s"</item> <item quantity="other">"Certifying %1$d user IDs for key %2$s"</item> </plurals> + <plurals name="msg_crt_certify_uats"> + <item quantity="one">"Certifying one user attribute for key %2$s"</item> + <item quantity="other">"Certifying %1$d user attributes for key %2$s"</item> + </plurals> <string name="msg_crt_error_self">"Cannot issue self-certificate like this!"</string> <string name="msg_crt_error_master_not_found">"Master key not found!"</string> <string name="msg_crt_error_nothing">"No keys certified!"</string> |