SignatureInputStream.java
// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
package org.pgpainless.decryption_verification;
import static org.pgpainless.signature.consumer.SignatureValidator.signatureWasCreatedInBounds;
import java.io.FilterInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.pgpainless.PGPainless;
import org.pgpainless.exception.SignatureValidationException;
import org.pgpainless.policy.Policy;
import org.pgpainless.signature.consumer.CertificateValidator;
import org.pgpainless.signature.consumer.DetachedSignatureCheck;
import org.pgpainless.signature.consumer.OnePassSignatureCheck;
import org.pgpainless.signature.SignatureUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public abstract class SignatureInputStream extends FilterInputStream {
protected SignatureInputStream(InputStream inputStream) {
super(inputStream);
}
public static class VerifySignatures extends SignatureInputStream {
private static final Logger LOGGER = LoggerFactory.getLogger(VerifySignatures.class);
private final PGPObjectFactory objectFactory;
private final List<OnePassSignatureCheck> opSignatures;
private final Map<Long, OnePassSignatureCheck> opSignaturesWithMissingCert;
private final List<DetachedSignatureCheck> detachedSignatures;
private final ConsumerOptions options;
private final OpenPgpMetadata.Builder resultBuilder;
public VerifySignatures(
InputStream literalDataStream,
@Nullable PGPObjectFactory objectFactory,
List<OnePassSignatureCheck> opSignatures,
Map<Long, OnePassSignatureCheck> onePassSignaturesWithMissingCert,
List<DetachedSignatureCheck> detachedSignatures,
ConsumerOptions options,
OpenPgpMetadata.Builder resultBuilder) {
super(literalDataStream);
this.objectFactory = objectFactory;
this.opSignatures = opSignatures;
this.opSignaturesWithMissingCert = onePassSignaturesWithMissingCert;
this.detachedSignatures = detachedSignatures;
this.options = options;
this.resultBuilder = resultBuilder;
}
@Override
public int read() throws IOException {
final int data = super.read();
final boolean endOfStream = data == -1;
if (endOfStream) {
verifyOnePassSignatures();
verifyDetachedSignatures();
} else {
byte b = (byte) data;
updateOnePassSignatures(b);
updateDetachedSignatures(b);
}
return data;
}
@Override
public int read(@Nonnull byte[] b, int off, int len) throws IOException {
int read = super.read(b, off, len);
final boolean endOfStream = read == -1;
if (endOfStream) {
parseAndCombineSignatures();
verifyOnePassSignatures();
verifyDetachedSignatures();
} else {
updateOnePassSignatures(b, off, read);
updateDetachedSignatures(b, off, read);
}
return read;
}
public void parseAndCombineSignatures() {
if (objectFactory == null) {
return;
}
// Parse signatures from message
PGPSignatureList signatures;
try {
signatures = parseSignatures(objectFactory);
} catch (IOException e) {
return;
}
List<PGPSignature> signatureList = SignatureUtils.toList(signatures);
// Set signatures as comparison sigs in OPS checks
for (int i = 0; i < opSignatures.size(); i++) {
int reversedIndex = opSignatures.size() - i - 1;
opSignatures.get(i).setSignature(signatureList.get(reversedIndex));
}
for (PGPSignature signature : signatureList) {
if (opSignaturesWithMissingCert.containsKey(signature.getKeyID())) {
OnePassSignatureCheck check = opSignaturesWithMissingCert.remove(signature.getKeyID());
check.setSignature(signature);
resultBuilder.addInvalidInbandSignature(new SignatureVerification(signature, null),
new SignatureValidationException(
"Missing verification certificate " + Long.toHexString(signature.getKeyID())));
}
}
}
private PGPSignatureList parseSignatures(PGPObjectFactory objectFactory) throws IOException {
PGPSignatureList signatureList = null;
Object pgpObject = objectFactory.nextObject();
while (pgpObject != null && signatureList == null) {
if (pgpObject instanceof PGPSignatureList) {
signatureList = (PGPSignatureList) pgpObject;
} else {
pgpObject = objectFactory.nextObject();
}
}
if (signatureList == null || signatureList.isEmpty()) {
throw new IOException("Verification failed - No Signatures found");
}
return signatureList;
}
private synchronized void verifyOnePassSignatures() {
Policy policy = PGPainless.getPolicy();
for (OnePassSignatureCheck opSignature : opSignatures) {
if (opSignature.getSignature() == null) {
LOGGER.warn("Found OnePassSignature without respective signature packet -> skip");
continue;
}
try {
signatureWasCreatedInBounds(options.getVerifyNotBefore(),
options.getVerifyNotAfter()).verify(opSignature.getSignature());
CertificateValidator.validateCertificateAndVerifyOnePassSignature(opSignature, policy);
resultBuilder.addVerifiedInbandSignature(
new SignatureVerification(opSignature.getSignature(), opSignature.getSigningKey()));
} catch (SignatureValidationException e) {
LOGGER.warn("One-pass-signature verification failed for signature made by key {}: {}",
opSignature.getSigningKey(), e.getMessage(), e);
resultBuilder.addInvalidInbandSignature(
new SignatureVerification(opSignature.getSignature(), opSignature.getSigningKey()), e);
}
}
}
private void verifyDetachedSignatures() {
Policy policy = PGPainless.getPolicy();
for (DetachedSignatureCheck s : detachedSignatures) {
try {
signatureWasCreatedInBounds(options.getVerifyNotBefore(),
options.getVerifyNotAfter()).verify(s.getSignature());
CertificateValidator.validateCertificateAndVerifyInitializedSignature(s.getSignature(),
(PGPPublicKeyRing) s.getSigningKeyRing(), policy);
resultBuilder.addVerifiedDetachedSignature(new SignatureVerification(s.getSignature(),
s.getSigningKeyIdentifier()));
} catch (SignatureValidationException e) {
LOGGER.warn("One-pass-signature verification failed for signature made by key {}: {}",
s.getSigningKeyIdentifier(), e.getMessage(), e);
resultBuilder.addInvalidDetachedSignature(new SignatureVerification(s.getSignature(),
s.getSigningKeyIdentifier()), e);
}
}
}
private void updateOnePassSignatures(byte data) {
for (OnePassSignatureCheck opSignature : opSignatures) {
opSignature.getOnePassSignature().update(data);
}
}
private void updateOnePassSignatures(byte[] bytes, int offset, int length) {
for (OnePassSignatureCheck opSignature : opSignatures) {
opSignature.getOnePassSignature().update(bytes, offset, length);
}
}
private void updateDetachedSignatures(byte b) {
for (DetachedSignatureCheck detachedSignature : detachedSignatures) {
detachedSignature.getSignature().update(b);
}
}
private void updateDetachedSignatures(byte[] b, int off, int read) {
for (DetachedSignatureCheck detachedSignature : detachedSignatures) {
detachedSignature.getSignature().update(b, off, read);
}
}
}
}