From 9d97d37c06f22354c124bd6cedd989d9ca4ff53e Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Fri, 11 Sep 2015 01:57:17 +0200 Subject: perform fingerprint check after canonicalization (OKC-01-009) --- .../keychain/operations/ImportOperation.java | 13 +------------ .../keychain/operations/results/OperationResult.java | 4 ++-- .../keychain/pgp/CanonicalizedKeyRing.java | 12 ++++++++++++ .../sufficientlysecure/keychain/pgp/UncachedKeyRing.java | 11 ----------- .../keychain/provider/ProviderHelper.java | 15 +++++++++++++-- OpenKeychain/src/main/res/values/strings.xml | 4 ++-- 6 files changed, 30 insertions(+), 29 deletions(-) (limited to 'OpenKeychain/src/main') diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/ImportOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/ImportOperation.java index 7b224fe8e..29264b5a2 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/ImportOperation.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/ImportOperation.java @@ -254,17 +254,6 @@ public class ImportOperation extends BaseOperation { continue; } - // If we have an expected fingerprint, make sure it matches - if (entry.mExpectedFingerprint != null) { - if (!key.containsSubkey(entry.mExpectedFingerprint)) { - log.add(LogType.MSG_IMPORT_FINGERPRINT_ERROR, 2); - badKeys += 1; - continue; - } else { - log.add(LogType.MSG_IMPORT_FINGERPRINT_OK, 2); - } - } - // Another check if we have been cancelled if (checkCancelled()) { cancelled = true; @@ -283,7 +272,7 @@ public class ImportOperation extends BaseOperation { } else { result = mProviderHelper.savePublicKeyRing(key, new ProgressScaler(progressable, (int) (position * progSteps), - (int) ((position + 1) * progSteps), 100)); + (int) ((position + 1) * progSteps), 100), entry.mExpectedFingerprint); } } if (!result.success()) { diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java index 46852d783..4e528f73e 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java @@ -289,6 +289,8 @@ public abstract class OperationResult implements Parcelable { MSG_IP_ERROR_IO_EXC (LogLevel.ERROR, R.string.msg_ip_error_io_exc), MSG_IP_ERROR_OP_EXC (LogLevel.ERROR, R.string.msg_ip_error_op_exc), MSG_IP_ERROR_REMOTE_EX (LogLevel.ERROR, R.string.msg_ip_error_remote_ex), + MSG_IP_FINGERPRINT_ERROR (LogLevel.ERROR, R.string.msg_ip_fingerprint_error), + MSG_IP_FINGERPRINT_OK (LogLevel.INFO, R.string.msg_ip_fingerprint_ok), MSG_IP_INSERT_KEYRING (LogLevel.DEBUG, R.string.msg_ip_insert_keyring), MSG_IP_INSERT_SUBKEYS (LogLevel.DEBUG, R.string.msg_ip_insert_keys), MSG_IP_PREPARE (LogLevel.DEBUG, R.string.msg_ip_prepare), @@ -712,8 +714,6 @@ public abstract class OperationResult implements Parcelable { MSG_IMPORT_KEYSERVER (LogLevel.DEBUG, R.string.msg_import_keyserver), MSG_IMPORT_MERGE (LogLevel.DEBUG, R.string.msg_import_merge), MSG_IMPORT_MERGE_ERROR (LogLevel.ERROR, R.string.msg_import_merge_error), - MSG_IMPORT_FINGERPRINT_ERROR (LogLevel.ERROR, R.string.msg_import_fingerprint_error), - MSG_IMPORT_FINGERPRINT_OK (LogLevel.DEBUG, R.string.msg_import_fingerprint_ok), MSG_IMPORT_ERROR (LogLevel.ERROR, R.string.msg_import_error), MSG_IMPORT_ERROR_IO (LogLevel.ERROR, R.string.msg_import_error_io), MSG_IMPORT_PARTIAL (LogLevel.ERROR, R.string.msg_import_partial), diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java index 770e8de91..18a27dd96 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedKeyRing.java @@ -21,6 +21,7 @@ package org.sufficientlysecure.keychain.pgp; import org.spongycastle.openpgp.PGPKeyRing; import org.spongycastle.openpgp.PGPPublicKey; import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException; +import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils; import org.sufficientlysecure.keychain.util.IterableIterator; import java.io.IOException; @@ -28,6 +29,7 @@ import java.io.OutputStream; import java.util.ArrayList; import java.util.Date; import java.util.HashSet; +import java.util.Iterator; import java.util.Set; @@ -152,4 +154,14 @@ public abstract class CanonicalizedKeyRing extends KeyRing { return getRing().getEncoded(); } + public boolean containsSubkey(String expectedFingerprint) { + for (CanonicalizedPublicKey key : publicKeyIterator()) { + if (KeyFormattingUtils.convertFingerprintToHex( + key.getFingerprint()).equalsIgnoreCase(expectedFingerprint)) { + return true; + } + } + return false; + } + } diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java index a7baddf8b..ca98882d8 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/UncachedKeyRing.java @@ -216,17 +216,6 @@ public class UncachedKeyRing implements Serializable { } - public boolean containsSubkey(String expectedFingerprint) { - Iterator it = mRing.getPublicKeys(); - while (it.hasNext()) { - if (KeyFormattingUtils.convertFingerprintToHex( - it.next().getFingerprint()).equalsIgnoreCase(expectedFingerprint)) { - return true; - } - } - return false; - } - public interface IteratorWithIOThrow { public boolean hasNext() throws IOException; public E next() throws IOException; diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java index d9ef4f3c8..6f452bfd1 100644 --- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java +++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/provider/ProviderHelper.java @@ -878,7 +878,7 @@ public class ProviderHelper { } public SaveKeyringResult savePublicKeyRing(UncachedKeyRing keyRing) { - return savePublicKeyRing(keyRing, new ProgressScaler()); + return savePublicKeyRing(keyRing, new ProgressScaler(), null); } /** @@ -887,7 +887,7 @@ public class ProviderHelper { * This is a high level method, which takes care of merging all new information into the old and * keep public and secret keyrings in sync. */ - public SaveKeyringResult savePublicKeyRing(UncachedKeyRing publicRing, Progressable progress) { + public SaveKeyringResult savePublicKeyRing(UncachedKeyRing publicRing, Progressable progress, String expectedFingerprint) { try { long masterKeyId = publicRing.getMasterKeyId(); @@ -960,6 +960,17 @@ public class ProviderHelper { canSecretRing = null; } + + // If we have an expected fingerprint, make sure it matches + if (expectedFingerprint != null) { + if (!canPublicRing.containsSubkey(expectedFingerprint)) { + log(LogType.MSG_IP_FINGERPRINT_ERROR); + return new SaveKeyringResult(SaveKeyringResult.RESULT_ERROR, mLog, null); + } else { + log(LogType.MSG_IP_FINGERPRINT_OK); + } + } + int result = saveCanonicalizedPublicKeyRing(canPublicRing, progress, canSecretRing != null); // Save the saved keyring (if any) diff --git a/OpenKeychain/src/main/res/values/strings.xml b/OpenKeychain/src/main/res/values/strings.xml index e6d607591..f11114830 100644 --- a/OpenKeychain/src/main/res/values/strings.xml +++ b/OpenKeychain/src/main/res/values/strings.xml @@ -826,6 +826,8 @@ "Operation failed due to database error" "Operation failed due to internal error" "Importing public keyring %s" + "Fingerprint of importing key does not match expected!" + "Fingerprint check OK" "Encoding keyring data" "Parsing keys" "Preparing database operations" @@ -1281,8 +1283,6 @@ "Retrieving from keyserver: %s" "Key retrieval successful" "Using keyserver %s" - "Fingerprint of fetched key didn't match expected!" - "Fingerprint check OK" "Merging retrieved data" "Error merging retrieved data!" "Import operation failed!" -- cgit v1.2.3