remove obsolete subkey binding check from signature verification

author: Vincent Breitmoser <valodim@mugenguild.com> 2014-06-18 22:07:14 +0200
committer: Vincent Breitmoser <valodim@mugenguild.com> 2014-06-19 00:14:28 +0200
commit: b40b429bc0db920e36351a8fd4189e473dc554c5 (patch)
tree: 91a6718bfc416cd3948a71d987813504e616bdc6 /OpenKeychain
parent: 0db425b28981209136f738c3ddaac3e549779a88 (diff)
download: open-keychain-b40b429bc0db920e36351a8fd4189e473dc554c5.tar.gz
open-keychain-b40b429bc0db920e36351a8fd4189e473dc554c5.tar.bz2
open-keychain-b40b429bc0db920e36351a8fd4189e473dc554c5.zip
3 files changed, 3 insertions, 124 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/OpenPgpSignatureResultBuilder.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/OpenPgpSignatureResultBuilder.java
index 5e49497c0..75f8bdb66 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/OpenPgpSignatureResultBuilder.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/OpenPgpSignatureResultBuilder.java
@@ -35,7 +35,6 @@ public class OpenPgpSignatureResultBuilder {
     private boolean mSignatureAvailable = false;
     private boolean mKnownKey = false;
     private boolean mValidSignature = false;
-    private boolean mValidKeyBinding = false;
     private boolean mIsSignatureKeyCertified = false;
 
     public void signatureOnly(boolean signatureOnly) {
@@ -58,10 +57,6 @@ public class OpenPgpSignatureResultBuilder {
         this.mValidSignature = validSignature;
     }
 
-    public void validKeyBinding(boolean validKeyBinding) {
-        this.mValidKeyBinding = validKeyBinding;
-    }
-
     public void signatureKeyCertified(boolean isSignatureKeyCertified) {
         this.mIsSignatureKeyCertified = isSignatureKeyCertified;
     }
@@ -77,7 +72,7 @@ public class OpenPgpSignatureResultBuilder {
 
             // valid sig!
             if (mKnownKey) {
-                if (mValidKeyBinding && mValidSignature) {
+                if (mValidSignature) {
                     result.setKeyId(mKeyId);
                     result.setUserId(mUserId);
 
@@ -89,8 +84,7 @@ public class OpenPgpSignatureResultBuilder {
                         result.setStatus(OpenPgpSignatureResult.SIGNATURE_SUCCESS_UNCERTIFIED);
                     }
                 } else {
-                    Log.d(Constants.TAG, "Error!\nvalidKeyBinding: " + mValidKeyBinding
-                            + "\nvalidSignature: " + mValidSignature);
+                    Log.d(Constants.TAG, "Error! Invalid signature.");
                     result.setStatus(OpenPgpSignatureResult.SIGNATURE_ERROR);
                 }
             } else {
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java
index c009d1b5c..a5ccfbd3b 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java
@@ -122,9 +122,6 @@ public class PgpDecryptVerify {
         /**
          * Allow these key ids alone for decryption.
          * This means only ciphertexts encrypted for one of these private key can be decrypted.
-         *
-         * @param allowedKeyIds
-         * @return
          */
         public Builder setAllowedKeyIds(Set<Long> allowedKeyIds) {
             this.mAllowedKeyIds = allowedKeyIds;
@@ -496,10 +493,7 @@ public class PgpDecryptVerify {
 
                 // Verify signature and check binding signatures
                 boolean validSignature = signature.verify(messageSignature);
-                boolean validKeyBinding = signingRing.verifySubkeyBinding(signingKey);
-
                 signatureResultBuilder.validSignature(validSignature);
-                signatureResultBuilder.validKeyBinding(validKeyBinding);
             }
         }
 
@@ -643,10 +637,8 @@ public class PgpDecryptVerify {
 
             // Verify signature and check binding signatures
             boolean validSignature = signature.verify();
-            boolean validKeyBinding = signingRing.verifySubkeyBinding(signingKey);
 
             signatureResultBuilder.validSignature(validSignature);
-            signatureResultBuilder.validKeyBinding(validKeyBinding);
         }
 
         result.setSignatureResult(signatureResultBuilder.build());
@@ -657,10 +649,6 @@ public class PgpDecryptVerify {
 
     /**
      * Mostly taken from ClearSignedFileProcessor in Bouncy Castle
-     *
-     * @param sig
-     * @param line
-     * @throws SignatureException
      */
     private static void processLine(PGPSignature sig, byte[] line)
             throws SignatureException {
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/WrappedPublicKeyRing.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/WrappedPublicKeyRing.java
index 0bb84aee7..b2abf15a4 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/WrappedPublicKeyRing.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/WrappedPublicKeyRing.java
@@ -1,24 +1,16 @@
 package org.sufficientlysecure.keychain.pgp;
 
 import org.spongycastle.bcpg.ArmoredOutputStream;
-import org.spongycastle.bcpg.SignatureSubpacketTags;
-import org.spongycastle.openpgp.PGPException;
 import org.spongycastle.openpgp.PGPKeyRing;
 import org.spongycastle.openpgp.PGPObjectFactory;
 import org.spongycastle.openpgp.PGPPublicKey;
 import org.spongycastle.openpgp.PGPPublicKeyRing;
-import org.spongycastle.openpgp.PGPSignature;
-import org.spongycastle.openpgp.PGPSignatureList;
-import org.spongycastle.openpgp.PGPSignatureSubpacketVector;
-import org.spongycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException;
 import org.sufficientlysecure.keychain.util.IterableIterator;
 import org.sufficientlysecure.keychain.util.Log;
 
 import java.io.IOException;
-import java.security.SignatureException;
-import java.util.Arrays;
 import java.util.Iterator;
 
 public class WrappedPublicKeyRing extends WrappedKeyRing {
@@ -70,106 +62,11 @@ public class WrappedPublicKeyRing extends WrappedKeyRing {
             }
             return cKey;
         }
-        // TODO handle with proper exception
         throw new PgpGeneralException("no encryption key available");
     }
 
-    public boolean verifySubkeyBinding(WrappedPublicKey cachedSubkey) {
-        boolean validSubkeyBinding = false;
-        boolean validTempSubkeyBinding = false;
-        boolean validPrimaryKeyBinding = false;
-
-        PGPPublicKey masterKey = getRing().getPublicKey();
-        PGPPublicKey subKey = cachedSubkey.getPublicKey();
-
-        // Is this the master key? Match automatically, then.
-        if(Arrays.equals(masterKey.getFingerprint(), subKey.getFingerprint())) {
-            return true;
-        }
-
-        JcaPGPContentVerifierBuilderProvider contentVerifierBuilderProvider =
-                new JcaPGPContentVerifierBuilderProvider()
-                        .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME);
-
-        Iterator<PGPSignature> itr = subKey.getSignatures();
-
-        while (itr.hasNext()) { //what does gpg do if the subkey binding is wrong?
-            //gpg has an invalid subkey binding error on key import I think, but doesn't shout
-            //about keys without subkey signing. Can't get it to import a slightly broken one
-            //either, so we will err on bad subkey binding here.
-            PGPSignature sig = itr.next();
-            if (sig.getKeyID() == masterKey.getKeyID() &&
-                    sig.getSignatureType() == PGPSignature.SUBKEY_BINDING) {
-                //check and if ok, check primary key binding.
-                try {
-                    sig.init(contentVerifierBuilderProvider, masterKey);
-                    validTempSubkeyBinding = sig.verifyCertification(masterKey, subKey);
-                } catch (PGPException e) {
-                    continue;
-                } catch (SignatureException e) {
-                    continue;
-                }
-
-                if (validTempSubkeyBinding) {
-                    validSubkeyBinding = true;
-                }
-                if (validTempSubkeyBinding) {
-                    validPrimaryKeyBinding = verifyPrimaryKeyBinding(sig.getUnhashedSubPackets(),
-                            masterKey, subKey);
-                    if (validPrimaryKeyBinding) {
-                        break;
-                    }
-                    validPrimaryKeyBinding = verifyPrimaryKeyBinding(sig.getHashedSubPackets(),
-                            masterKey, subKey);
-                    if (validPrimaryKeyBinding) {
-                        break;
-                    }
-                }
-            }
-        }
-        return validSubkeyBinding && validPrimaryKeyBinding;
-
-    }
-
-    static boolean verifyPrimaryKeyBinding(PGPSignatureSubpacketVector pkts,
-                                            PGPPublicKey masterPublicKey,
-                                            PGPPublicKey signingPublicKey) {
-        boolean validPrimaryKeyBinding = false;
-        JcaPGPContentVerifierBuilderProvider contentVerifierBuilderProvider =
-                new JcaPGPContentVerifierBuilderProvider()
-                        .setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME);
-        PGPSignatureList eSigList;
-
-        if (pkts.hasSubpacket(SignatureSubpacketTags.EMBEDDED_SIGNATURE)) {
-            try {
-                eSigList = pkts.getEmbeddedSignatures();
-            } catch (IOException e) {
-                return false;
-            } catch (PGPException e) {
-                return false;
-            }
-            for (int j = 0; j < eSigList.size(); ++j) {
-                PGPSignature emSig = eSigList.get(j);
-                if (emSig.getSignatureType() == PGPSignature.PRIMARYKEY_BINDING) {
-                    try {
-                        emSig.init(contentVerifierBuilderProvider, signingPublicKey);
-                        validPrimaryKeyBinding = emSig.verifyCertification(masterPublicKey, signingPublicKey);
-                        if (validPrimaryKeyBinding) {
-                            break;
-                        }
-                    } catch (PGPException e) {
-                        continue;
-                    } catch (SignatureException e) {
-                        continue;
-                    }
-                }
-            }
-        }
-
-        return validPrimaryKeyBinding;
-    }
-
     public IterableIterator<WrappedPublicKey> publicKeyIterator() {
+        @SuppressWarnings("unchecked")
         final Iterator<PGPPublicKey> it = getRing().getPublicKeys();
         return new IterableIterator<WrappedPublicKey>(new Iterator<WrappedPublicKey>() {
             @Override
author	Vincent Breitmoser <valodim@mugenguild.com>	2014-06-18 22:07:14 +0200
committer	Vincent Breitmoser <valodim@mugenguild.com>	2014-06-19 00:14:28 +0200
commit	b40b429bc0db920e36351a8fd4189e473dc554c5 (patch)
tree	91a6718bfc416cd3948a71d987813504e616bdc6 /OpenKeychain
parent	0db425b28981209136f738c3ddaac3e549779a88 (diff)
download	open-keychain-b40b429bc0db920e36351a8fd4189e473dc554c5.tar.gz open-keychain-b40b429bc0db920e36351a8fd4189e473dc554c5.tar.bz2 open-keychain-b40b429bc0db920e36351a8fd4189e473dc554c5.zip