Examples with RevocationKey - org.bouncycastle.bcpg.sig.RevocationKey

Example 1 with RevocationKey

use of org.bouncycastle.bcpg.sig.RevocationKey in project gerrit by GerritCodeReview.

the class PublicKeyChecker method checkRevocations.

private void checkRevocations(PGPPublicKey key, List<PGPSignature> revocations, Map<Long, RevocationKey> revokers, List<String> problems) throws PGPException, IOException {
    for (PGPSignature revocation : revocations) {
        RevocationKey revoker = revokers.get(revocation.getKeyID());
        if (revoker == null) {
            // Not a designated revoker.
            continue;
        }
        byte[] rfp = revoker.getFingerprint();
        PGPPublicKeyRing revokerKeyRing = store.get(rfp);
        if (revokerKeyRing == null) {
            // Revoker is authorized and there is a revocation signature by this
            // revoker, but the key is not in the store so we can't verify the
            // signature.
            logger.atInfo().log("Key %s is revoked by %s, which is not in the store. Assuming revocation is valid.", lazy(() -> Fingerprint.toString(key.getFingerprint())), lazy(() -> Fingerprint.toString(rfp)));
            problems.add(reasonToString(getRevocationReason(revocation)));
            continue;
        }
        PGPPublicKey rk = revokerKeyRing.getPublicKey();
        if (rk.getAlgorithm() != revoker.getAlgorithm()) {
            continue;
        }
        if (!checkBasic(rk, PushCertificateChecker.getCreationTime(revocation)).isOk()) {
            // revocation is invalid.
            continue;
        }
        revocation.init(new BcPGPContentVerifierBuilderProvider(), rk);
        if (revocation.verifyCertification(key)) {
            problems.add(reasonToString(getRevocationReason(revocation)));
        }
    }
}

Also used : PGPPublicKeyRing(org.bouncycastle.openpgp.PGPPublicKeyRing) RevocationKey(org.bouncycastle.bcpg.sig.RevocationKey) PGPPublicKey(org.bouncycastle.openpgp.PGPPublicKey) BcPGPContentVerifierBuilderProvider(org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider) PGPSignature(org.bouncycastle.openpgp.PGPSignature)

Example 2 with RevocationKey

use of org.bouncycastle.bcpg.sig.RevocationKey in project gerrit by GerritCodeReview.

the class PublicKeyChecker method gatherRevocationProblems.

private void gatherRevocationProblems(PGPPublicKey key, Date now, List<String> problems) {
    try {
        List<PGPSignature> revocations = new ArrayList<>();
        Map<Long, RevocationKey> revokers = new HashMap<>();
        PGPSignature selfRevocation = scanRevocations(key, now, revocations, revokers);
        if (selfRevocation != null) {
            RevocationReason reason = getRevocationReason(selfRevocation);
            if (isRevocationValid(selfRevocation, reason, now)) {
                problems.add(reasonToString(reason));
            }
        } else {
            checkRevocations(key, revocations, revokers, problems);
        }
    } catch (PGPException | IOException e) {
        problems.add("Error checking key revocation");
    }
}

Also used : RevocationReason(org.bouncycastle.bcpg.sig.RevocationReason) PGPException(org.bouncycastle.openpgp.PGPException) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) RevocationKey(org.bouncycastle.bcpg.sig.RevocationKey) PGPSignature(org.bouncycastle.openpgp.PGPSignature) IOException(java.io.IOException)

Example 3 with RevocationKey

use of org.bouncycastle.bcpg.sig.RevocationKey in project gerrit by GerritCodeReview.

the class PublicKeyChecker method getRevocationKey.

private RevocationKey getRevocationKey(PGPPublicKey key, PGPSignature sig) throws PGPException {
    if (sig.getKeyID() != key.getKeyID()) {
        return null;
    }
    SignatureSubpacket sub = sig.getHashedSubPackets().getSubpacket(REVOCATION_KEY);
    if (sub == null) {
        return null;
    }
    sig.init(new BcPGPContentVerifierBuilderProvider(), key);
    if (!sig.verifyCertification(key)) {
        return null;
    }
    return new RevocationKey(sub.isCritical(), sub.isLongLength(), sub.getData());
}

Also used : BcPGPContentVerifierBuilderProvider(org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider) RevocationKey(org.bouncycastle.bcpg.sig.RevocationKey) SignatureSubpacket(org.bouncycastle.bcpg.SignatureSubpacket)

Example 4 with RevocationKey

use of org.bouncycastle.bcpg.sig.RevocationKey in project gerrit by GerritCodeReview.

the class PublicKeyChecker method gatherRevocationProblems.

private void gatherRevocationProblems(PGPPublicKey key, Instant now, List<String> problems) {
    try {
        List<PGPSignature> revocations = new ArrayList<>();
        Map<Long, RevocationKey> revokers = new HashMap<>();
        PGPSignature selfRevocation = scanRevocations(key, now, revocations, revokers);
        if (selfRevocation != null) {
            RevocationReason reason = getRevocationReason(selfRevocation);
            if (isRevocationValid(selfRevocation, reason, now)) {
                problems.add(reasonToString(reason));
            }
        } else {
            checkRevocations(key, revocations, revokers, problems);
        }
    } catch (PGPException | IOException e) {
        problems.add("Error checking key revocation");
    }
}

Aggregations

RevocationKey (org.bouncycastle.bcpg.sig.RevocationKey)4 PGPSignature (org.bouncycastle.openpgp.PGPSignature)3 IOException (java.io.IOException)2 ArrayList (java.util.ArrayList)2 HashMap (java.util.HashMap)2 RevocationReason (org.bouncycastle.bcpg.sig.RevocationReason)2 PGPException (org.bouncycastle.openpgp.PGPException)2 BcPGPContentVerifierBuilderProvider (org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider)2 SignatureSubpacket (org.bouncycastle.bcpg.SignatureSubpacket)1 PGPPublicKey (org.bouncycastle.openpgp.PGPPublicKey)1 PGPPublicKeyRing (org.bouncycastle.openpgp.PGPPublicKeyRing)1