diff options
24 files changed, 209 insertions, 43 deletions
diff --git a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpEncryptDecryptTest.java b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpEncryptDecryptTest.java index ebe31c9f0..8c1a358b0 100644 --- a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpEncryptDecryptTest.java +++ b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpEncryptDecryptTest.java @@ -34,6 +34,7 @@ import org.sufficientlysecure.keychain.service.SaveKeyringParcel.Algorithm; import org.sufficientlysecure.keychain.operations.results.DecryptVerifyResult; import org.sufficientlysecure.keychain.operations.results.EditKeyResult; import org.sufficientlysecure.keychain.operations.results.SignEncryptResult; +import org.sufficientlysecure.keychain.service.SaveKeyringParcel.ChangeUnlockParcel; import org.sufficientlysecure.keychain.util.InputData; import org.sufficientlysecure.keychain.util.ProgressScaler; import org.sufficientlysecure.keychain.util.TestingUtils; @@ -68,7 +69,7 @@ public class PgpEncryptDecryptTest { parcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( Algorithm.ELGAMAL, 1024, null, KeyFlags.ENCRYPT_COMMS, 0L)); parcel.mAddUserIds.add("bloom"); - parcel.mNewUnlock = mKeyPhrase1; + parcel.mNewUnlock = new ChangeUnlockParcel(mKeyPhrase1); EditKeyResult result = op.createSecretKeyRing(parcel); Assert.assertTrue("initial test key creation must succeed", result.success()); @@ -86,7 +87,7 @@ public class PgpEncryptDecryptTest { parcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( Algorithm.ELGAMAL, 1024, null, KeyFlags.ENCRYPT_COMMS, 0L)); parcel.mAddUserIds.add("belle"); - parcel.mNewUnlock = mKeyPhrase2; + parcel.mNewUnlock = new ChangeUnlockParcel(mKeyPhrase2); EditKeyResult result = op.createSecretKeyRing(parcel); Assert.assertTrue("initial test key creation must succeed", result.success()); diff --git a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperationTest.java b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperationTest.java index 79778c6d0..6b53a93ce 100644 --- a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperationTest.java +++ b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperationTest.java @@ -41,8 +41,10 @@ import org.spongycastle.openpgp.PGPSignature; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog; import org.sufficientlysecure.keychain.operations.results.EditKeyResult; +import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey.SecretKeyType; import org.sufficientlysecure.keychain.service.SaveKeyringParcel; import org.sufficientlysecure.keychain.service.SaveKeyringParcel.Algorithm; +import org.sufficientlysecure.keychain.service.SaveKeyringParcel.ChangeUnlockParcel; import org.sufficientlysecure.keychain.service.SaveKeyringParcel.SubkeyAdd; import org.sufficientlysecure.keychain.service.SaveKeyringParcel.SubkeyChange; import org.sufficientlysecure.keychain.support.KeyringBuilder; @@ -91,7 +93,7 @@ public class PgpKeyOperationTest { parcel.mAddUserIds.add("twi"); parcel.mAddUserIds.add("pink"); - parcel.mNewUnlock = passphrase; + parcel.mNewUnlock = new ChangeUnlockParcel(passphrase); PgpKeyOperation op = new PgpKeyOperation(null); EditKeyResult result = op.createSecretKeyRing(parcel); @@ -99,6 +101,7 @@ public class PgpKeyOperationTest { Assert.assertNotNull("initial test key creation must succeed", result.getRing()); staticRing = result.getRing(); + staticRing = staticRing.canonicalize(new OperationLog(), 0).getUncachedKeyRing(); // we sleep here for a second, to make sure all new certificates have different timestamps Thread.sleep(1000); @@ -127,7 +130,7 @@ public class PgpKeyOperationTest { parcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( Algorithm.RSA, new Random().nextInt(256)+255, null, KeyFlags.CERTIFY_OTHER, 0L)); parcel.mAddUserIds.add("shy"); - parcel.mNewUnlock = passphrase; + parcel.mNewUnlock = new ChangeUnlockParcel(passphrase); assertFailure("creating ring with < 512 bytes keysize should fail", parcel, LogType.MSG_CR_ERROR_KEYSIZE_512); @@ -138,7 +141,7 @@ public class PgpKeyOperationTest { parcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( Algorithm.ELGAMAL, 1024, null, KeyFlags.CERTIFY_OTHER, 0L)); parcel.mAddUserIds.add("shy"); - parcel.mNewUnlock = passphrase; + parcel.mNewUnlock = new ChangeUnlockParcel(passphrase); assertFailure("creating ring with ElGamal master key should fail", parcel, LogType.MSG_CR_ERROR_FLAGS_ELGAMAL); @@ -149,7 +152,7 @@ public class PgpKeyOperationTest { parcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( Algorithm.RSA, 1024, null, KeyFlags.CERTIFY_OTHER, null)); parcel.mAddUserIds.add("lotus"); - parcel.mNewUnlock = passphrase; + parcel.mNewUnlock = new ChangeUnlockParcel(passphrase); assertFailure("creating master key with null expiry should fail", parcel, LogType.MSG_CR_ERROR_NULL_EXPIRY); @@ -160,7 +163,7 @@ public class PgpKeyOperationTest { parcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( Algorithm.RSA, 1024, null, KeyFlags.SIGN_DATA, 0L)); parcel.mAddUserIds.add("shy"); - parcel.mNewUnlock = passphrase; + parcel.mNewUnlock = new ChangeUnlockParcel(passphrase); assertFailure("creating ring with non-certifying master key should fail", parcel, LogType.MSG_CR_ERROR_NO_CERTIFY); @@ -170,7 +173,7 @@ public class PgpKeyOperationTest { parcel.reset(); parcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd( Algorithm.RSA, 1024, null, KeyFlags.CERTIFY_OTHER, 0L)); - parcel.mNewUnlock = passphrase; + parcel.mNewUnlock = new ChangeUnlockParcel(passphrase); assertFailure("creating ring without user ids should fail", parcel, LogType.MSG_CR_ERROR_NO_USER_ID); @@ -179,7 +182,7 @@ public class PgpKeyOperationTest { { parcel.reset(); parcel.mAddUserIds.add("shy"); - parcel.mNewUnlock = passphrase; + parcel.mNewUnlock = new ChangeUnlockParcel(passphrase); assertFailure("creating ring with no master key should fail", parcel, LogType.MSG_CR_ERROR_NO_MASTER); @@ -910,8 +913,10 @@ public class PgpKeyOperationTest { public void testPassphraseChange() throws Exception { // change passphrase to empty - parcel.mNewUnlock = ""; - UncachedKeyRing modified = applyModificationWithChecks(parcel, ring, onlyA, onlyB); + parcel.mNewUnlock = new ChangeUnlockParcel(""); + // note that canonicalization here necessarily strips the empty notation packet + UncachedKeyRing modified = applyModificationWithChecks(parcel, ring, onlyA, onlyB, + passphrase, true, false); Assert.assertEquals("exactly three packets should have been modified (the secret keys)", 3, onlyB.size()); @@ -923,8 +928,8 @@ public class PgpKeyOperationTest { // modify keyring, change to non-empty passphrase String otherPassphrase = TestingUtils.genPassphrase(true); - parcel.mNewUnlock = otherPassphrase; - modified = applyModificationWithChecks(parcel, modified, onlyA, onlyB, ""); + parcel.mNewUnlock = new ChangeUnlockParcel(otherPassphrase); + modified = applyModificationWithChecks(parcel, modified, onlyA, onlyB, "", true, false); Assert.assertEquals("exactly three packets should have been modified (the secret keys)", 3, onlyB.size()); @@ -948,7 +953,7 @@ public class PgpKeyOperationTest { PacketTags.SECRET_SUBKEY, sKeyNoPassphrase.tag); String otherPassphrase2 = TestingUtils.genPassphrase(true); - parcel.mNewUnlock = otherPassphrase2; + parcel.mNewUnlock = new ChangeUnlockParcel(otherPassphrase2); { // if we replace a secret key with one without passphrase modified = KeyringTestingHelper.removePacket(modified, sKeyNoPassphrase.position); @@ -981,6 +986,28 @@ public class PgpKeyOperationTest { } + @Test + public void testUnlockPin() throws Exception { + + // change passphrase to a pin type + parcel.mNewUnlock = new ChangeUnlockParcel(null, "52351"); + UncachedKeyRing modified = applyModificationWithChecks(parcel, ring, onlyA, onlyB); + + Assert.assertEquals("exactly four packets should have been modified (the secret keys + notation packet)", + 4, onlyB.size()); + + RawPacket dkSig = onlyB.get(1); + Assert.assertEquals("second modified packet should be notation data", + PacketTags.SIGNATURE, dkSig.tag); + + // check that notation data contains pin + CanonicalizedSecretKeyRing secretRing = new CanonicalizedSecretKeyRing(modified.getEncoded(), false, 0); + Assert.assertEquals("secret key type should be 'pin' after this", + SecretKeyType.PIN, + secretRing.getSecretKey().getSecretKeyType()); + + } + private static UncachedKeyRing applyModificationWithChecks(SaveKeyringParcel parcel, UncachedKeyRing ring, ArrayList<RawPacket> onlyA, diff --git a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringCanonicalizeTest.java b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringCanonicalizeTest.java index cbdbd0e72..7d8a10ee0 100644 --- a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringCanonicalizeTest.java +++ b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringCanonicalizeTest.java @@ -58,6 +58,7 @@ import org.sufficientlysecure.keychain.service.SaveKeyringParcel; import org.sufficientlysecure.keychain.service.SaveKeyringParcel.Algorithm; import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType; import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog; +import org.sufficientlysecure.keychain.service.SaveKeyringParcel.ChangeUnlockParcel; import org.sufficientlysecure.keychain.support.KeyringTestingHelper; import org.sufficientlysecure.keychain.support.KeyringTestingHelper.RawPacket; @@ -104,7 +105,7 @@ public class UncachedKeyringCanonicalizeTest { parcel.mAddUserIds.add("twi"); parcel.mAddUserIds.add("pink"); // passphrase is tested in PgpKeyOperationTest, just use empty here - parcel.mNewUnlock = ""; + parcel.mNewUnlock = new ChangeUnlockParcel(""); PgpKeyOperation op = new PgpKeyOperation(null); EditKeyResult result = op.createSecretKeyRing(parcel); diff --git a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringMergeTest.java b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringMergeTest.java index 006c77fbc..799640d6c 100644 --- a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringMergeTest.java +++ b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringMergeTest.java @@ -36,6 +36,7 @@ import org.sufficientlysecure.keychain.operations.results.OperationResult; import org.sufficientlysecure.keychain.operations.results.EditKeyResult; import org.sufficientlysecure.keychain.service.SaveKeyringParcel; import org.sufficientlysecure.keychain.service.SaveKeyringParcel.Algorithm; +import org.sufficientlysecure.keychain.service.SaveKeyringParcel.ChangeUnlockParcel; import org.sufficientlysecure.keychain.support.KeyringTestingHelper; import org.sufficientlysecure.keychain.support.KeyringTestingHelper.RawPacket; import org.sufficientlysecure.keychain.util.ProgressScaler; @@ -96,7 +97,7 @@ public class UncachedKeyringMergeTest { parcel.mAddUserIds.add("twi"); parcel.mAddUserIds.add("pink"); // passphrase is tested in PgpKeyOperationTest, just use empty here - parcel.mNewUnlock = ""; + parcel.mNewUnlock = new ChangeUnlockParcel(""); PgpKeyOperation op = new PgpKeyOperation(null); OperationResult.OperationLog log = new OperationResult.OperationLog(); @@ -112,7 +113,7 @@ public class UncachedKeyringMergeTest { parcel.mAddUserIds.add("shy"); // passphrase is tested in PgpKeyOperationTest, just use empty here - parcel.mNewUnlock = ""; + parcel.mNewUnlock = new ChangeUnlockParcel(""); PgpKeyOperation op = new PgpKeyOperation(null); OperationResult.OperationLog log = new OperationResult.OperationLog(); diff --git a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringTest.java b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringTest.java index d8d825783..34c637abf 100644 --- a/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringTest.java +++ b/OpenKeychain-Test/src/test/java/org/sufficientlysecure/keychain/pgp/UncachedKeyringTest.java @@ -30,6 +30,7 @@ import org.sufficientlysecure.keychain.operations.results.EditKeyResult; import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException; import org.sufficientlysecure.keychain.service.SaveKeyringParcel; import org.sufficientlysecure.keychain.service.SaveKeyringParcel.Algorithm; +import org.sufficientlysecure.keychain.service.SaveKeyringParcel.ChangeUnlockParcel; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; @@ -57,7 +58,7 @@ public class UncachedKeyringTest { parcel.mAddUserIds.add("twi"); parcel.mAddUserIds.add("pink"); // passphrase is tested in PgpKeyOperationTest, just use empty here - parcel.mNewUnlock = ""; + parcel.mNewUnlock = new ChangeUnlockParcel(""); PgpKeyOperation op = new PgpKeyOperation(null); EditKeyResult result = op.createSecretKeyRing(parcel); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java index dc45fabc3..606dd49d5 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java @@ -359,6 +359,7 @@ public abstract class OperationResult implements Parcelable { MSG_IS_SUBKEY_STRIPPED (LogLevel.DEBUG, R.string.msg_is_subkey_stripped), MSG_IS_SUBKEY_DIVERT (LogLevel.DEBUG, R.string.msg_is_subkey_divert), MSG_IS_SUBKEY_EMPTY (LogLevel.DEBUG, R.string.msg_is_subkey_empty), + MSG_IS_SUBKEY_PIN (LogLevel.DEBUG, R.string.msg_is_subkey_pin), MSG_IS_SUCCESS_IDENTICAL (LogLevel.OK, R.string.msg_is_success_identical), MSG_IS_SUCCESS (LogLevel.OK, R.string.msg_is_success), @@ -370,13 +371,15 @@ public abstract class OperationResult implements Parcelable { MSG_KC_ERROR_MASTER_ALGO (LogLevel.ERROR, R.string.msg_kc_error_master_algo), MSG_KC_ERROR_DUP_KEY (LogLevel.ERROR, R.string.msg_kc_error_dup_key), MSG_KC_MASTER (LogLevel.DEBUG, R.string.msg_kc_master), + MSG_KC_BAD_TYPE(LogLevel.WARN, R.string.msg_kc_bad_type), MSG_KC_REVOKE_BAD_ERR (LogLevel.WARN, R.string.msg_kc_revoke_bad_err), MSG_KC_REVOKE_BAD_LOCAL (LogLevel.WARN, R.string.msg_kc_revoke_bad_local), MSG_KC_REVOKE_BAD_TIME (LogLevel.WARN, R.string.msg_kc_revoke_bad_time), - MSG_KC_REVOKE_BAD_TYPE (LogLevel.WARN, R.string.msg_kc_revoke_bad_type), MSG_KC_REVOKE_BAD_TYPE_UID (LogLevel.WARN, R.string.msg_kc_revoke_bad_type_uid), MSG_KC_REVOKE_BAD (LogLevel.WARN, R.string.msg_kc_revoke_bad), MSG_KC_REVOKE_DUP (LogLevel.DEBUG, R.string.msg_kc_revoke_dup), + MSG_KC_NOTATION_DUP (LogLevel.DEBUG, R.string.msg_kc_notation_dup), + MSG_KC_NOTATION_EMPTY (LogLevel.DEBUG, R.string.msg_kc_notation_empty), MSG_KC_SUB (LogLevel.DEBUG, R.string.msg_kc_sub), MSG_KC_SUB_BAD(LogLevel.WARN, R.string.msg_kc_sub_bad), MSG_KC_SUB_BAD_ERR(LogLevel.WARN, R.string.msg_kc_sub_bad_err), diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java index a965d4819..42e59b3bc 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java @@ -49,6 +49,7 @@ import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.SignatureException; import java.util.Date; +import java.util.HashMap; import java.util.LinkedList; import java.util.List; @@ -140,6 +141,11 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey { // It means the passphrase is empty return SecretKeyType.PASSPHRASE_EMPTY; } catch (PGPException e) { + HashMap<String,String> notation = getRing().getLocalNotationData(); + if (notation.containsKey("unlock.pin@sufficientlysecure.org") + && "1".equals(notation.get("unlock.pin@sufficientlysecure.org"))) { + return SecretKeyType.PIN; + } // Otherwise, it's just a regular ol' passphrase return SecretKeyType.PASSPHRASE; } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKeyRing.java index e20155cc6..eb589c3f9 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKeyRing.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKeyRing.java @@ -26,6 +26,7 @@ import org.spongycastle.openpgp.PGPPrivateKey; import org.spongycastle.openpgp.PGPPublicKey; import org.spongycastle.openpgp.PGPSecretKey; import org.spongycastle.openpgp.PGPSecretKeyRing; +import org.spongycastle.openpgp.PGPSignature; import org.spongycastle.openpgp.operator.PBESecretKeyDecryptor; import org.spongycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder; import org.sufficientlysecure.keychain.Constants; @@ -36,6 +37,7 @@ import org.sufficientlysecure.keychain.util.IterableIterator; import org.sufficientlysecure.keychain.util.Log; import java.io.IOException; +import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -130,4 +132,16 @@ public class CanonicalizedSecretKeyRing extends CanonicalizedKeyRing { }); } + public HashMap<String,String> getLocalNotationData() { + HashMap<String,String> result = new HashMap<String,String>(); + Iterator<PGPSignature> it = getRing().getPublicKey().getKeySignatures(); + while (it.hasNext()) { + WrappedSignature sig = new WrappedSignature(it.next()); + if (sig.isLocal()) { + result.putAll(sig.getNotation()); + } + } + return result; + } + } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java index c125165a8..c8ce349f8 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java @@ -34,6 +34,7 @@ import org.spongycastle.openpgp.PGPSecretKeyRing; import org.spongycastle.openpgp.PGPSignature; import org.spongycastle.openpgp.PGPSignatureGenerator; import org.spongycastle.openpgp.PGPSignatureSubpacketGenerator; +import org.spongycastle.openpgp.PGPSignatureSubpacketVector; import org.spongycastle.openpgp.operator.PBESecretKeyDecryptor; import org.spongycastle.openpgp.operator.PBESecretKeyEncryptor; import org.spongycastle.openpgp.operator.PGPContentSignerBuilder; @@ -877,7 +878,8 @@ public class PgpKeyOperation { log.add(LogType.MSG_MF_PASSPHRASE, indent); indent += 1; - sKR = applyNewUnlock(sKR, masterPublicKey, passphrase, saveParcel.mNewUnlock, log, indent); + sKR = applyNewUnlock(sKR, masterPublicKey, masterPrivateKey, + passphrase, saveParcel.mNewUnlock, log, indent); if (sKR == null) { // The error has been logged above, just return a bad state return new EditKeyResult(EditKeyResult.RESULT_ERROR, log, null); @@ -909,19 +911,62 @@ public class PgpKeyOperation { private static PGPSecretKeyRing applyNewUnlock( PGPSecretKeyRing sKR, PGPPublicKey masterPublicKey, + PGPPrivateKey masterPrivateKey, String passphrase, ChangeUnlockParcel newUnlock, OperationLog log, int indent) throws PGPException { if (newUnlock.mNewPassphrase != null) { - return applyNewPassphrase(sKR, masterPublicKey, passphrase, newUnlock.mNewPassphrase, log, indent); + sKR = applyNewPassphrase(sKR, masterPublicKey, passphrase, newUnlock.mNewPassphrase, log, indent); + + // add packet with EMPTY notation data (updates old one, but will be stripped later) + PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder( + masterPrivateKey.getPublicKeyPacket().getAlgorithm(), HashAlgorithmTags.SHA512) + .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME); + PGPSignatureGenerator sGen = new PGPSignatureGenerator(signerBuilder); + { // set subpackets + PGPSignatureSubpacketGenerator hashedPacketsGen = new PGPSignatureSubpacketGenerator(); + hashedPacketsGen.setExportable(false, false); + sGen.setHashedSubpackets(hashedPacketsGen.generate()); + } + sGen.init(PGPSignature.DIRECT_KEY, masterPrivateKey); + PGPSignature emptySig = sGen.generateCertification(masterPublicKey); + + masterPublicKey = PGPPublicKey.addCertification(masterPublicKey, emptySig); + sKR = PGPSecretKeyRing.insertSecretKey(sKR, + PGPSecretKey.replacePublicKey(sKR.getSecretKey(), masterPublicKey)); + + return sKR; + } + + if (newUnlock.mNewPin != null) { + sKR = applyNewPassphrase(sKR, masterPublicKey, passphrase, newUnlock.mNewPin, log, indent); + + // add packet with EMPTY notation data (updates old one, but will be stripped later) + PGPContentSignerBuilder signerBuilder = new JcaPGPContentSignerBuilder( + masterPrivateKey.getPublicKeyPacket().getAlgorithm(), HashAlgorithmTags.SHA512) + .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME); + PGPSignatureGenerator sGen = new PGPSignatureGenerator(signerBuilder); + { // set subpackets + PGPSignatureSubpacketGenerator hashedPacketsGen = new PGPSignatureSubpacketGenerator(); + hashedPacketsGen.setExportable(false, false); + hashedPacketsGen.setNotationData(false, true, "unlock.pin@sufficientlysecure.org", "1"); + sGen.setHashedSubpackets(hashedPacketsGen.generate()); + } + sGen.init(PGPSignature.DIRECT_KEY, masterPrivateKey); + PGPSignature emptySig = sGen.generateCertification(masterPublicKey); + + masterPublicKey = PGPPublicKey.addCertification(masterPublicKey, emptySig); + sKR = PGPSecretKeyRing.insertSecretKey(sKR, + PGPSecretKey.replacePublicKey(sKR.getSecretKey(), masterPublicKey)); + + return sKR; } throw new UnsupportedOperationException("PIN passphrases not yet implemented!"); } - private static PGPSecretKeyRing applyNewPassphrase( PGPSecretKeyRing sKR, PGPPublicKey masterPublicKey, diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java index b343c779a..5e5a28e83 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java @@ -41,7 +41,6 @@ import org.sufficientlysecure.keychain.util.IterableIterator; import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.Utf8Util; -import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -302,6 +301,7 @@ public class UncachedKeyRing { PGPPublicKey modified = masterKey; PGPSignature revocation = null; + PGPSignature notation = null; for (PGPSignature zert : new IterableIterator<PGPSignature>(masterKey.getKeySignatures())) { int type = zert.getSignatureType(); @@ -318,9 +318,9 @@ public class UncachedKeyRing { } WrappedSignature cert = new WrappedSignature(zert); - if (type != PGPSignature.KEY_REVOCATION) { + if (type != PGPSignature.KEY_REVOCATION && type != PGPSignature.DIRECT_KEY) { // Unknown type, just remove - log.add(LogType.MSG_KC_REVOKE_BAD_TYPE, indent, "0x" + Integer.toString(type, 16)); + log.add(LogType.MSG_KC_BAD_TYPE, indent, "0x" + Integer.toString(type, 16)); modified = PGPPublicKey.removeCertification(modified, zert); badCerts += 1; continue; @@ -334,14 +334,6 @@ public class UncachedKeyRing { continue; } - if (cert.isLocal()) { - // Remove revocation certs with "local" flag - log.add(LogType.MSG_KC_REVOKE_BAD_LOCAL, indent); - modified = PGPPublicKey.removeCertification(modified, zert); - badCerts += 1; - continue; - } - try { cert.init(masterKey); if (!cert.verifySignature(masterKey)) { @@ -357,6 +349,39 @@ public class UncachedKeyRing { continue; } + // special case: direct key signatures! + if (cert.getSignatureType() == PGPSignature.DIRECT_KEY) { + // must be local, otherwise strip! + if (!cert.isLocal()) { + log.add(LogType.MSG_KC_BAD_TYPE, indent); + modified = PGPPublicKey.removeCertification(modified, zert); + badCerts += 1; + continue; + } + + // first notation? fine then. + if (notation == null) { + notation = zert; + // more notations? at least one is superfluous, then. + } else if (notation.getCreationTime().before(zert.getCreationTime())) { + log.add(LogType.MSG_KC_NOTATION_DUP, indent); + modified = PGPPublicKey.removeCertification(modified, notation); + redundantCerts += 1; + notation = zert; + } else { + log.add(LogType.MSG_KC_NOTATION_DUP, indent); + modified = PGPPublicKey.removeCertification(modified, zert); + redundantCerts += 1; + } + continue; + } else if (cert.isLocal()) { + // Remove revocation certs with "local" flag + log.add(LogType.MSG_KC_REVOKE_BAD_LOCAL, indent); + modified = PGPPublicKey.removeCertification(modified, zert); + badCerts += 1; + continue; + } + // first revocation? fine then. if (revocation == null) { revocation = zert; @@ -373,6 +398,16 @@ public class UncachedKeyRing { } } + // If we have a notation packet, check if there is even any data in it? + if (notation != null) { + // If there isn't, might as well strip it + if (new WrappedSignature(notation).getNotation().isEmpty()) { + log.add(LogType.MSG_KC_NOTATION_EMPTY, indent); + modified = PGPPublicKey.removeCertification(modified, notation); + redundantCerts += 1; + } + } + ArrayList<String> processedUserIds = new ArrayList<String>(); for (byte[] rawUserId : new IterableIterator<byte[]>(masterKey.getRawUserIDs())) { String userId = Utf8Util.fromUTF8ByteArrayReplaceBadEncoding(rawUserId); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/WrappedSignature.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/WrappedSignature.java index 93afb987a..c395ca52d 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/WrappedSignature.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/WrappedSignature.java @@ -21,6 +21,7 @@ package org.sufficientlysecure.keychain.pgp; import org.spongycastle.bcpg.SignatureSubpacket; import org.spongycastle.bcpg.SignatureSubpacketTags; import org.spongycastle.bcpg.sig.Exportable; +import org.spongycastle.bcpg.sig.NotationData; import org.spongycastle.bcpg.sig.Revocable; import org.spongycastle.bcpg.sig.RevocationReason; import org.spongycastle.openpgp.PGPException; @@ -37,6 +38,7 @@ import java.io.IOException; import java.security.SignatureException; import java.util.ArrayList; import java.util.Date; +import java.util.HashMap; /** OpenKeychain wrapper around PGPSignature objects. * @@ -239,4 +241,20 @@ public class WrappedSignature { SignatureSubpacket p = mSig.getHashedSubPackets().getSubpacket(SignatureSubpacketTags.EXPORTABLE); return ! ((Exportable) p).isExportable(); } + + public HashMap<String,String> getNotation() { + HashMap<String,String> result = new HashMap<String,String>(); + + // If there is any notation data + if (mSig.getHashedSubPackets() != null + && mSig.getHashedSubPackets().hasSubpacket(SignatureSubpacketTags.NOTATION_DATA)) { + // Iterate over notation data + for (NotationData data : mSig.getHashedSubPackets().getNotationDataOccurrences()) { + result.put(data.getNotationName(), data.getNotationValue()); + } + } + + return result; + } + } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java index 05dc99c5e..6daa26cd3 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java @@ -682,6 +682,11 @@ public class ProviderHelper { KeyFormattingUtils.convertKeyIdToHex(id) ); break; + case PIN: + log(LogType.MSG_IS_SUBKEY_PIN, + KeyFormattingUtils.convertKeyIdToHex(id) + ); + break; case GNU_DUMMY: log(LogType.MSG_IS_SUBKEY_STRIPPED, KeyFormattingUtils.convertKeyIdToHex(id) diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java index f5d4e5bd4..810190fee 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/SaveKeyringParcel.java @@ -254,6 +254,9 @@ public class SaveKeyringParcel implements Parcelable { // A new pin to use. Must only contain [0-9]+ public final String mNewPin; + public ChangeUnlockParcel(String newPassphrase) { + this(newPassphrase, null); + } public ChangeUnlockParcel(String newPassphrase, String newPin) { if (newPassphrase == null && newPin == null) { throw new RuntimeException("Cannot set both passphrase and pin. THIS IS A BUG!"); diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/PassphraseDialogActivity.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/PassphraseDialogActivity.java index 4c65aa314..cd564551a 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/PassphraseDialogActivity.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/PassphraseDialogActivity.java @@ -208,6 +208,9 @@ public class PassphraseDialogActivity extends FragmentActivity { case PASSPHRASE: message = getString(R.string.passphrase_for, userId); break; + case PIN: + message = getString(R.string.pin_for, userId); + break; case DIVERT_TO_CARD: message = getString(R.string.yubikey_pin_for, userId); break; diff --git a/OpenKeychain/src/main/res/values-de/strings.xml b/OpenKeychain/src/main/res/values-de/strings.xml index 12738bc60..fa74b287b 100644 --- a/OpenKeychain/src/main/res/values-de/strings.xml +++ b/OpenKeychain/src/main/res/values-de/strings.xml @@ -607,7 +607,7 @@ <string name="msg_kc_revoke_bad_err">Entferne fehlerhaftes Schlüsselbund Widerrufszertifikat</string> <string name="msg_kc_revoke_bad_local">Entferne Schlüsselbund Widerrufszertifikat mit \"Lokal\" Attribut</string> <string name="msg_kc_revoke_bad_time">Entferne Schlüsselbund Widerrufszertifikat mit zukünftigem Zeitstempel</string> - <string name="msg_kc_revoke_bad_type">Entferne Hauptschlüsselbeglaubigung unbekannter Art (%s)</string> + <string name="msg_kc_bad_type">Entferne Hauptschlüsselbeglaubigung unbekannter Art (%s)</string> <string name="msg_kc_revoke_bad">Entferne fehlerhaftes Schlüsselbund Widerrufszertifikat</string> <string name="msg_kc_revoke_dup">Entferne redundantes Schlüsselbund Widerrufszertifikat</string> <string name="msg_kc_sub">Verarbeite Unterschlüssel %s</string> diff --git a/OpenKeychain/src/main/res/values-es/strings.xml b/OpenKeychain/src/main/res/values-es/strings.xml index f89ca0bf7..afae20592 100644 --- a/OpenKeychain/src/main/res/values-es/strings.xml +++ b/OpenKeychain/src/main/res/values-es/strings.xml @@ -652,7 +652,7 @@ <string name="msg_kc_revoke_bad_err">Eliminando certificado defectuoso de revocación de juego de claves</string> <string name="msg_kc_revoke_bad_local">Eliminando certificado de revocación de juego de claves, con distintivo \"local\"</string> <string name="msg_kc_revoke_bad_time">Eliminando certificado de revocación de juego de claves, con marca de tiempo futura</string> - <string name="msg_kc_revoke_bad_type">Eliminando certificado de clave maestra, de tipo desconocido (%s)</string> + <string name="msg_kc_bad_type">Eliminando certificado de clave maestra, de tipo desconocido (%s)</string> <string name="msg_kc_revoke_bad_type_uid">Eliminando certificado de identificación de usuario en posición incorrecta</string> <string name="msg_kc_revoke_bad">Eliminando certificado defectuoso de revocación de juego de claves</string> <string name="msg_kc_revoke_dup">Eliminando certificado redundante de revocación de juego de claves </string> diff --git a/OpenKeychain/src/main/res/values-fr/strings.xml b/OpenKeychain/src/main/res/values-fr/strings.xml index 69764f514..60b7a3bcf 100644 --- a/OpenKeychain/src/main/res/values-fr/strings.xml +++ b/OpenKeychain/src/main/res/values-fr/strings.xml @@ -652,7 +652,7 @@ <string name="msg_kc_revoke_bad_err">Suppression du mauvais certificat de révocation du trousseau</string> <string name="msg_kc_revoke_bad_local">Suppression du certificat de révocation du trousseau ayant le drapeau « local »</string> <string name="msg_kc_revoke_bad_time">Suppression du certificat de révocation du trousseau ayant une estampille temporelle dans le futur</string> - <string name="msg_kc_revoke_bad_type">Suppression du certificat de clef maîtresse de type inconnu (%s)</string> + <string name="msg_kc_bad_type">Suppression du certificat de clef maîtresse de type inconnu (%s)</string> <string name="msg_kc_revoke_bad_type_uid">Suppression du certificat de l\'ID d\'utilisateur en mauvaise position</string> <string name="msg_kc_revoke_bad">Suppression du mauvais certificat de révocation du trousseau</string> <string name="msg_kc_revoke_dup"> Suppression du certificat redondant de révocation du trousseau</string> diff --git a/OpenKeychain/src/main/res/values-it/strings.xml b/OpenKeychain/src/main/res/values-it/strings.xml index 8d7c9e8f8..6a33e25f1 100644 --- a/OpenKeychain/src/main/res/values-it/strings.xml +++ b/OpenKeychain/src/main/res/values-it/strings.xml @@ -602,7 +602,7 @@ Permetti accesso?\n\nATTENZIONE: Se non sai perche\' questo schermata e\' appars <string name="msg_kc_revoke_bad_err">Rimozione di certificato di revoca del portachiavi corrotto</string> <string name="msg_kc_revoke_bad_local">Rimozione certificato di revoca del portachiavi con caratteristica \"locale\"</string> <string name="msg_kc_revoke_bad_time">Rimozione certificato di revoca del portachiavi con marca temporale futura</string> - <string name="msg_kc_revoke_bad_type">Rimozione certificato della chiave principale di tipo sconosciuto (%s)</string> + <string name="msg_kc_bad_type">Rimozione certificato della chiave principale di tipo sconosciuto (%s)</string> <string name="msg_kc_revoke_bad">Rimozione certificato di revoca del portachiavi corrotto</string> <string name="msg_kc_revoke_dup">Rimozione certificato di revoca del portachiavi ridondante</string> <string name="msg_kc_sub">Elaborazione sottochiave %s</string> diff --git a/OpenKeychain/src/main/res/values-ja/strings.xml b/OpenKeychain/src/main/res/values-ja/strings.xml index e53f0bfb1..5ed93c931 100644 --- a/OpenKeychain/src/main/res/values-ja/strings.xml +++ b/OpenKeychain/src/main/res/values-ja/strings.xml @@ -618,7 +618,7 @@ <string name="msg_kc_revoke_bad_err">問題のある鍵輪の破棄証明を破棄中</string> <string name="msg_kc_revoke_bad_local">鍵輪のローカルフラグ付き破棄証明を破棄中</string> <string name="msg_kc_revoke_bad_time">鍵輪の未来にタイムスタンプがある破棄証明を破棄中</string> - <string name="msg_kc_revoke_bad_type">問題のある主鍵の不明な型 (%s) の証明を破棄中</string> + <string name="msg_kc_bad_type">問題のある主鍵の不明な型 (%s) の証明を破棄中</string> <string name="msg_kc_revoke_bad_type_uid">不正な位置のユーザID検証を破棄中</string> <string name="msg_kc_revoke_bad">問題のある鍵輪の破棄証明を破棄中</string> <string name="msg_kc_revoke_dup">重複している鍵輪の破棄証明を破棄中</string> diff --git a/OpenKeychain/src/main/res/values-sl/strings.xml b/OpenKeychain/src/main/res/values-sl/strings.xml index 0799e951f..1841ee46b 100644 --- a/OpenKeychain/src/main/res/values-sl/strings.xml +++ b/OpenKeychain/src/main/res/values-sl/strings.xml @@ -450,7 +450,7 @@ <string name="msg_kc_revoke_bad_err">Umikam slab certifikat za preklic zbirk ključev</string> <string name="msg_kc_revoke_bad_local">Umikam certifikat za preklic zbirk ključev z oznako \"lokalno\"</string> <string name="msg_kc_revoke_bad_time">Umikam certifikat za preklic zbirk ključev s časovno znamko v prihodnosti</string> - <string name="msg_kc_revoke_bad_type">Umikam certifikat glavnega ključa neznanega tipa (%s)</string> + <string name="msg_kc_bad_type">Umikam certifikat glavnega ključa neznanega tipa (%s)</string> <string name="msg_kc_revoke_bad">Umikam slab certifikat za preklic zbirk ključev</string> <string name="msg_kc_revoke_dup">Umikam odvečen certifikat za preklic zbirk ključev</string> <string name="msg_kc_sub">Obdelujem podključ %s</string> diff --git a/OpenKeychain/src/main/res/values-sr/strings.xml b/OpenKeychain/src/main/res/values-sr/strings.xml index c38b681c4..5ba833972 100644 --- a/OpenKeychain/src/main/res/values-sr/strings.xml +++ b/OpenKeychain/src/main/res/values-sr/strings.xml @@ -672,7 +672,7 @@ <string name="msg_kc_revoke_bad_err">Уклањам лош сертификат опозива привеска</string> <string name="msg_kc_revoke_bad_local">Уклањам сертификат опозива привеска са заставицом „локални“</string> <string name="msg_kc_revoke_bad_time">Уклањам сертификат опозива привеска са временском ознаком у будућности</string> - <string name="msg_kc_revoke_bad_type">Уклањам сертификат главног кључа непознатог типа (%s)</string> + <string name="msg_kc_bad_type">Уклањам сертификат главног кључа непознатог типа (%s)</string> <string name="msg_kc_revoke_bad_type_uid">Уклањам сертификат корисничког ИД-а са погрешног места</string> <string name="msg_kc_revoke_bad">Уклањам лош сертификат опозива привеска</string> <string name="msg_kc_revoke_dup">Уклањам сувишни сертификат опозива привеска</string> diff --git a/OpenKeychain/src/main/res/values-sv/strings.xml b/OpenKeychain/src/main/res/values-sv/strings.xml index c1a7178e0..fda0ace11 100644 --- a/OpenKeychain/src/main/res/values-sv/strings.xml +++ b/OpenKeychain/src/main/res/values-sv/strings.xml @@ -573,7 +573,7 @@ <string name="msg_kc_master">Bearbetar huvudnyckel</string> <string name="msg_kc_revoke_bad_err">Tar bort dåligt återkallelsecertifikat för nyckelring</string> <string name="msg_kc_revoke_bad_time">Tar bort återkallelsecertifikat för nyckelring med framtida tidstämpel</string> - <string name="msg_kc_revoke_bad_type">Tar bort huvudnyckelcertifikat av okänd typ (%s)</string> + <string name="msg_kc_bad_type">Tar bort huvudnyckelcertifikat av okänd typ (%s)</string> <string name="msg_kc_revoke_bad">Tar bort dåligt återkallelsecertifikat för nyckelring</string> <string name="msg_kc_revoke_dup">Tar bort överflödigt återkallelsecertifikat för nyckelring</string> <string name="msg_kc_sub">Bearbetar undernyckel %s</string> diff --git a/OpenKeychain/src/main/res/values/strings.xml b/OpenKeychain/src/main/res/values/strings.xml index c142e9fee..05ea2a99a 100644 --- a/OpenKeychain/src/main/res/values/strings.xml +++ b/OpenKeychain/src/main/res/values/strings.xml @@ -697,6 +697,7 @@ <string name="msg_is_subkey_nonexistent">"Subkey %s unavailable in secret key"</string> <string name="msg_is_subkey_ok">"Marked secret subkey %s as available"</string> <string name="msg_is_subkey_empty">"Marked secret subkey %s as available, with empty passphrase"</string> + <string name="msg_is_subkey_pin">"Marked secret subkey %s as available, with pin passphrase"</string> <string name="msg_is_subkey_stripped">"Marked secret subkey %s as stripped"</string> <string name="msg_is_subkey_divert">"Marked secret subkey %s as 'divert to smartcard/NFC'"</string> <string name="msg_is_success_identical">"Keyring contains no new data, nothing to do"</string> @@ -710,13 +711,15 @@ <string name="msg_kc_error_master_algo">"The master key uses an unknown (%s) algorithm!"</string> <string name="msg_kc_error_dup_key">"Subkey %s occurs twice in keyring. Keyring is malformed, not importing!"</string> <string name="msg_kc_master">"Processing master key"</string> + <string name="msg_kc_bad_type">"Removing master key certificate of unknown type (%s)"</string> <string name="msg_kc_revoke_bad_err">"Removing bad keyring revocation certificate"</string> <string name="msg_kc_revoke_bad_local">"Removing keyring revocation certificate with "local" flag"</string> <string name="msg_kc_revoke_bad_time">"Removing keyring revocation certificate with future timestamp"</string> - <string name="msg_kc_revoke_bad_type">"Removing master key certificate of unknown type (%s)"</string> <string name="msg_kc_revoke_bad_type_uid">"Removing user ID certificate in bad position"</string> <string name="msg_kc_revoke_bad">"Removing bad keyring revocation certificate"</string> <string name="msg_kc_revoke_dup">"Removing redundant keyring revocation certificate"</string> + <string name="msg_kc_notation_dup">"Removing redundant notation certificate"</string> + <string name="msg_kc_notation_empty">"Removing empty notation certificate"</string> <string name="msg_kc_sub">"Processing subkey %s"</string> <string name="msg_kc_sub_bad">"Removing invalid subkey binding certificate"</string> <string name="msg_kc_sub_bad_err">"Removing bad subkey binding certificate"</string> diff --git a/build.gradle b/build.gradle index f6fff5d3c..8c3b355d4 100644 --- a/build.gradle +++ b/build.gradle @@ -21,7 +21,7 @@ task wrapper(type: Wrapper) { subprojects { tasks.withType(Test) { - maxParallelForks = 5 + maxParallelForks = 1 } } |