mirror of
https://github.com/moparisthebest/open-keychain
synced 2024-12-25 00:18:51 -05:00
Support verification of detached signatures
This commit is contained in:
parent
e8780b4410
commit
ae7ba2639f
@ -28,7 +28,6 @@ import org.spongycastle.openpgp.PGPEncryptedData;
|
|||||||
import org.spongycastle.openpgp.PGPEncryptedDataList;
|
import org.spongycastle.openpgp.PGPEncryptedDataList;
|
||||||
import org.spongycastle.openpgp.PGPException;
|
import org.spongycastle.openpgp.PGPException;
|
||||||
import org.spongycastle.openpgp.PGPLiteralData;
|
import org.spongycastle.openpgp.PGPLiteralData;
|
||||||
import org.spongycastle.openpgp.PGPObjectFactory;
|
|
||||||
import org.spongycastle.openpgp.PGPOnePassSignature;
|
import org.spongycastle.openpgp.PGPOnePassSignature;
|
||||||
import org.spongycastle.openpgp.PGPOnePassSignatureList;
|
import org.spongycastle.openpgp.PGPOnePassSignatureList;
|
||||||
import org.spongycastle.openpgp.PGPPBEEncryptedData;
|
import org.spongycastle.openpgp.PGPPBEEncryptedData;
|
||||||
@ -36,6 +35,7 @@ import org.spongycastle.openpgp.PGPPublicKeyEncryptedData;
|
|||||||
import org.spongycastle.openpgp.PGPSignature;
|
import org.spongycastle.openpgp.PGPSignature;
|
||||||
import org.spongycastle.openpgp.PGPSignatureList;
|
import org.spongycastle.openpgp.PGPSignatureList;
|
||||||
import org.spongycastle.openpgp.PGPUtil;
|
import org.spongycastle.openpgp.PGPUtil;
|
||||||
|
import org.spongycastle.openpgp.jcajce.JcaPGPObjectFactory;
|
||||||
import org.spongycastle.openpgp.operator.PBEDataDecryptorFactory;
|
import org.spongycastle.openpgp.operator.PBEDataDecryptorFactory;
|
||||||
import org.spongycastle.openpgp.operator.PGPDigestCalculatorProvider;
|
import org.spongycastle.openpgp.operator.PGPDigestCalculatorProvider;
|
||||||
import org.spongycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
|
import org.spongycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
|
||||||
@ -83,6 +83,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
private Set<Long> mAllowedKeyIds;
|
private Set<Long> mAllowedKeyIds;
|
||||||
private boolean mDecryptMetadataOnly;
|
private boolean mDecryptMetadataOnly;
|
||||||
private byte[] mDecryptedSessionKey;
|
private byte[] mDecryptedSessionKey;
|
||||||
|
private byte[] mDetachedSignature;
|
||||||
|
|
||||||
protected PgpDecryptVerify(Builder builder) {
|
protected PgpDecryptVerify(Builder builder) {
|
||||||
super(builder.mContext, builder.mProviderHelper, builder.mProgressable);
|
super(builder.mContext, builder.mProviderHelper, builder.mProgressable);
|
||||||
@ -96,6 +97,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
this.mAllowedKeyIds = builder.mAllowedKeyIds;
|
this.mAllowedKeyIds = builder.mAllowedKeyIds;
|
||||||
this.mDecryptMetadataOnly = builder.mDecryptMetadataOnly;
|
this.mDecryptMetadataOnly = builder.mDecryptMetadataOnly;
|
||||||
this.mDecryptedSessionKey = builder.mDecryptedSessionKey;
|
this.mDecryptedSessionKey = builder.mDecryptedSessionKey;
|
||||||
|
this.mDetachedSignature = builder.mDetachedSignature;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static class Builder {
|
public static class Builder {
|
||||||
@ -103,15 +105,16 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
private Context mContext;
|
private Context mContext;
|
||||||
private ProviderHelper mProviderHelper;
|
private ProviderHelper mProviderHelper;
|
||||||
private InputData mData;
|
private InputData mData;
|
||||||
private OutputStream mOutStream;
|
|
||||||
|
|
||||||
// optional
|
// optional
|
||||||
|
private OutputStream mOutStream = null;
|
||||||
private Progressable mProgressable = null;
|
private Progressable mProgressable = null;
|
||||||
private boolean mAllowSymmetricDecryption = true;
|
private boolean mAllowSymmetricDecryption = true;
|
||||||
private String mPassphrase = null;
|
private String mPassphrase = null;
|
||||||
private Set<Long> mAllowedKeyIds = null;
|
private Set<Long> mAllowedKeyIds = null;
|
||||||
private boolean mDecryptMetadataOnly = false;
|
private boolean mDecryptMetadataOnly = false;
|
||||||
private byte[] mDecryptedSessionKey = null;
|
private byte[] mDecryptedSessionKey = null;
|
||||||
|
private byte[] mDetachedSignature = null;
|
||||||
|
|
||||||
public Builder(Context context, ProviderHelper providerHelper,
|
public Builder(Context context, ProviderHelper providerHelper,
|
||||||
Progressable progressable,
|
Progressable progressable,
|
||||||
@ -156,6 +159,17 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* If detachedSignature != null, it will be used exclusively to verify the signature
|
||||||
|
*
|
||||||
|
* @param detachedSignature
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
public Builder setDetachedSignature(byte[] detachedSignature) {
|
||||||
|
mDetachedSignature = detachedSignature;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
public PgpDecryptVerify build() {
|
public PgpDecryptVerify build() {
|
||||||
return new PgpDecryptVerify(this);
|
return new PgpDecryptVerify(this);
|
||||||
}
|
}
|
||||||
@ -166,22 +180,30 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
*/
|
*/
|
||||||
public DecryptVerifyResult execute() {
|
public DecryptVerifyResult execute() {
|
||||||
try {
|
try {
|
||||||
// automatically works with ascii armor input and binary
|
if (mDetachedSignature != null) {
|
||||||
InputStream in = PGPUtil.getDecoderStream(mData.getInputStream());
|
Log.d(Constants.TAG, "Detached signature present, verifying with this signature only");
|
||||||
|
|
||||||
if (in instanceof ArmoredInputStream) {
|
return verifyDetachedSignature(mData.getInputStream(), 0);
|
||||||
ArmoredInputStream aIn = (ArmoredInputStream) in;
|
} else {
|
||||||
// it is ascii armored
|
// automatically works with PGP ascii armor and PGP binary
|
||||||
Log.d(Constants.TAG, "ASCII Armor Header Line: " + aIn.getArmorHeaderLine());
|
InputStream in = PGPUtil.getDecoderStream(mData.getInputStream());
|
||||||
|
|
||||||
if (aIn.isClearText()) {
|
if (in instanceof ArmoredInputStream) {
|
||||||
// a cleartext signature, verify it with the other method
|
ArmoredInputStream aIn = (ArmoredInputStream) in;
|
||||||
return verifyCleartextSignature(aIn, 0);
|
// it is ascii armored
|
||||||
|
Log.d(Constants.TAG, "ASCII Armor Header Line: " + aIn.getArmorHeaderLine());
|
||||||
|
|
||||||
|
if (aIn.isClearText()) {
|
||||||
|
// a cleartext signature, verify it with the other method
|
||||||
|
return verifyCleartextSignature(aIn, 0);
|
||||||
|
} else {
|
||||||
|
// else: ascii armored encryption! go on...
|
||||||
|
return decryptVerify(in, 0);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return decryptVerify(in, 0);
|
||||||
}
|
}
|
||||||
// else: ascii armored encryption! go on...
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return decryptVerify(in, 0);
|
|
||||||
} catch (PGPException e) {
|
} catch (PGPException e) {
|
||||||
Log.d(Constants.TAG, "PGPException", e);
|
Log.d(Constants.TAG, "PGPException", e);
|
||||||
OperationLog log = new OperationLog();
|
OperationLog log = new OperationLog();
|
||||||
@ -205,7 +227,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
log.add(LogType.MSG_DC, indent);
|
log.add(LogType.MSG_DC, indent);
|
||||||
indent += 1;
|
indent += 1;
|
||||||
|
|
||||||
PGPObjectFactory pgpF = new PGPObjectFactory(in, new JcaKeyFingerprintCalculator());
|
JcaPGPObjectFactory pgpF = new JcaPGPObjectFactory(in);
|
||||||
PGPEncryptedDataList enc;
|
PGPEncryptedDataList enc;
|
||||||
Object o = pgpF.nextObject();
|
Object o = pgpF.nextObject();
|
||||||
|
|
||||||
@ -238,15 +260,18 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
// https://tools.ietf.org/html/rfc4880#page56
|
// https://tools.ietf.org/html/rfc4880#page56
|
||||||
String charset = null;
|
String charset = null;
|
||||||
if (in instanceof ArmoredInputStream) {
|
if (in instanceof ArmoredInputStream) {
|
||||||
for (String header : ((ArmoredInputStream) in).getArmorHeaders()) {
|
ArmoredInputStream aIn = (ArmoredInputStream) in;
|
||||||
String[] pieces = header.split(":", 2);
|
if (aIn.getArmorHeaders() != null) {
|
||||||
if (pieces.length == 2 && "charset".equalsIgnoreCase(pieces[0])) {
|
for (String header : aIn.getArmorHeaders()) {
|
||||||
charset = pieces[1].trim();
|
String[] pieces = header.split(":", 2);
|
||||||
break;
|
if (pieces.length == 2 && "charset".equalsIgnoreCase(pieces[0])) {
|
||||||
|
charset = pieces[1].trim();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (charset != null) {
|
||||||
|
log.add(LogType.MSG_DC_CHARSET, indent, charset);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
if (charset != null) {
|
|
||||||
log.add(LogType.MSG_DC_CHARSET, indent, charset);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -273,19 +298,19 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
);
|
);
|
||||||
} catch (ProviderHelper.NotFoundException e) {
|
} catch (ProviderHelper.NotFoundException e) {
|
||||||
// continue with the next packet in the while loop
|
// continue with the next packet in the while loop
|
||||||
log.add(LogType.MSG_DC_ASKIP_NO_KEY, indent +1);
|
log.add(LogType.MSG_DC_ASKIP_NO_KEY, indent + 1);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (secretKeyRing == null) {
|
if (secretKeyRing == null) {
|
||||||
// continue with the next packet in the while loop
|
// continue with the next packet in the while loop
|
||||||
log.add(LogType.MSG_DC_ASKIP_NO_KEY, indent +1);
|
log.add(LogType.MSG_DC_ASKIP_NO_KEY, indent + 1);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
// get subkey which has been used for this encryption packet
|
// get subkey which has been used for this encryption packet
|
||||||
secretEncryptionKey = secretKeyRing.getSecretKey(subKeyId);
|
secretEncryptionKey = secretKeyRing.getSecretKey(subKeyId);
|
||||||
if (secretEncryptionKey == null) {
|
if (secretEncryptionKey == null) {
|
||||||
// should actually never happen, so no need to be more specific.
|
// should actually never happen, so no need to be more specific.
|
||||||
log.add(LogType.MSG_DC_ASKIP_NO_KEY, indent +1);
|
log.add(LogType.MSG_DC_ASKIP_NO_KEY, indent + 1);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -299,7 +324,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
if (!mAllowedKeyIds.contains(masterKeyId)) {
|
if (!mAllowedKeyIds.contains(masterKeyId)) {
|
||||||
// this key is in our db, but NOT allowed!
|
// this key is in our db, but NOT allowed!
|
||||||
// continue with the next packet in the while loop
|
// continue with the next packet in the while loop
|
||||||
log.add(LogType.MSG_DC_ASKIP_NOT_ALLOWED, indent +1);
|
log.add(LogType.MSG_DC_ASKIP_NOT_ALLOWED, indent + 1);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -314,15 +339,15 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
try {
|
try {
|
||||||
// returns "" if key has no passphrase
|
// returns "" if key has no passphrase
|
||||||
mPassphrase = getCachedPassphrase(subKeyId);
|
mPassphrase = getCachedPassphrase(subKeyId);
|
||||||
log.add(LogType.MSG_DC_PASS_CACHED, indent +1);
|
log.add(LogType.MSG_DC_PASS_CACHED, indent + 1);
|
||||||
} catch (PassphraseCacheInterface.NoSecretKeyException e) {
|
} catch (PassphraseCacheInterface.NoSecretKeyException e) {
|
||||||
log.add(LogType.MSG_DC_ERROR_NO_KEY, indent +1);
|
log.add(LogType.MSG_DC_ERROR_NO_KEY, indent + 1);
|
||||||
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
||||||
}
|
}
|
||||||
|
|
||||||
// if passphrase was not cached, return here indicating that a passphrase is missing!
|
// if passphrase was not cached, return here indicating that a passphrase is missing!
|
||||||
if (mPassphrase == null) {
|
if (mPassphrase == null) {
|
||||||
log.add(LogType.MSG_DC_PENDING_PASSPHRASE, indent +1);
|
log.add(LogType.MSG_DC_PENDING_PASSPHRASE, indent + 1);
|
||||||
DecryptVerifyResult result =
|
DecryptVerifyResult result =
|
||||||
new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_ASYM_PASSPHRASE, log);
|
new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_ASYM_PASSPHRASE, log);
|
||||||
result.setKeyIdPassphraseNeeded(subKeyId);
|
result.setKeyIdPassphraseNeeded(subKeyId);
|
||||||
@ -338,8 +363,8 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
|
|
||||||
log.add(LogType.MSG_DC_SYM, indent);
|
log.add(LogType.MSG_DC_SYM, indent);
|
||||||
|
|
||||||
if (! mAllowSymmetricDecryption) {
|
if (!mAllowSymmetricDecryption) {
|
||||||
log.add(LogType.MSG_DC_SYM_SKIP, indent +1);
|
log.add(LogType.MSG_DC_SYM_SKIP, indent + 1);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -354,7 +379,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
// if no passphrase is given, return here
|
// if no passphrase is given, return here
|
||||||
// indicating that a passphrase is missing!
|
// indicating that a passphrase is missing!
|
||||||
if (mPassphrase == null) {
|
if (mPassphrase == null) {
|
||||||
log.add(LogType.MSG_DC_PENDING_PASSPHRASE, indent +1);
|
log.add(LogType.MSG_DC_PENDING_PASSPHRASE, indent + 1);
|
||||||
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_SYM_PASSPHRASE, log);
|
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_SYM_PASSPHRASE, log);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -399,13 +424,13 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
updateProgress(R.string.progress_extracting_key, currentProgress, 100);
|
updateProgress(R.string.progress_extracting_key, currentProgress, 100);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
log.add(LogType.MSG_DC_UNLOCKING, indent +1);
|
log.add(LogType.MSG_DC_UNLOCKING, indent + 1);
|
||||||
if (!secretEncryptionKey.unlock(mPassphrase)) {
|
if (!secretEncryptionKey.unlock(mPassphrase)) {
|
||||||
log.add(LogType.MSG_DC_ERROR_BAD_PASSPHRASE, indent +1);
|
log.add(LogType.MSG_DC_ERROR_BAD_PASSPHRASE, indent + 1);
|
||||||
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
||||||
}
|
}
|
||||||
} catch (PgpGeneralException e) {
|
} catch (PgpGeneralException e) {
|
||||||
log.add(LogType.MSG_DC_ERROR_EXTRACT_KEY, indent +1);
|
log.add(LogType.MSG_DC_ERROR_EXTRACT_KEY, indent + 1);
|
||||||
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -417,7 +442,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
= secretEncryptionKey.getDecryptorFactory(mDecryptedSessionKey);
|
= secretEncryptionKey.getDecryptorFactory(mDecryptedSessionKey);
|
||||||
clear = encryptedDataAsymmetric.getDataStream(decryptorFactory);
|
clear = encryptedDataAsymmetric.getDataStream(decryptorFactory);
|
||||||
} catch (NfcSyncPublicKeyDataDecryptorFactoryBuilder.NfcInteractionNeeded e) {
|
} catch (NfcSyncPublicKeyDataDecryptorFactoryBuilder.NfcInteractionNeeded e) {
|
||||||
log.add(LogType.MSG_DC_PENDING_NFC, indent +1);
|
log.add(LogType.MSG_DC_PENDING_NFC, indent + 1);
|
||||||
DecryptVerifyResult result =
|
DecryptVerifyResult result =
|
||||||
new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_NFC, log);
|
new DecryptVerifyResult(DecryptVerifyResult.RESULT_PENDING_NFC, log);
|
||||||
result.setNfcState(secretEncryptionKey.getKeyId(), e.encryptedSessionKey, mPassphrase);
|
result.setNfcState(secretEncryptionKey.getKeyId(), e.encryptedSessionKey, mPassphrase);
|
||||||
@ -428,11 +453,11 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
// If we didn't find any useful data, error out
|
// If we didn't find any useful data, error out
|
||||||
// no packet has been found where we have the corresponding secret key in our db
|
// no packet has been found where we have the corresponding secret key in our db
|
||||||
log.add(
|
log.add(
|
||||||
anyPacketFound ? LogType.MSG_DC_ERROR_NO_KEY : LogType.MSG_DC_ERROR_NO_DATA, indent +1);
|
anyPacketFound ? LogType.MSG_DC_ERROR_NO_KEY : LogType.MSG_DC_ERROR_NO_DATA, indent + 1);
|
||||||
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
||||||
}
|
}
|
||||||
|
|
||||||
PGPObjectFactory plainFact = new PGPObjectFactory(clear, new JcaKeyFingerprintCalculator());
|
JcaPGPObjectFactory plainFact = new JcaPGPObjectFactory(clear);
|
||||||
Object dataChunk = plainFact.nextObject();
|
Object dataChunk = plainFact.nextObject();
|
||||||
OpenPgpSignatureResultBuilder signatureResultBuilder = new OpenPgpSignatureResultBuilder();
|
OpenPgpSignatureResultBuilder signatureResultBuilder = new OpenPgpSignatureResultBuilder();
|
||||||
int signatureIndex = -1;
|
int signatureIndex = -1;
|
||||||
@ -443,25 +468,27 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
indent += 1;
|
indent += 1;
|
||||||
|
|
||||||
if (dataChunk instanceof PGPCompressedData) {
|
if (dataChunk instanceof PGPCompressedData) {
|
||||||
log.add(LogType.MSG_DC_CLEAR_DECOMPRESS, indent +1);
|
log.add(LogType.MSG_DC_CLEAR_DECOMPRESS, indent + 1);
|
||||||
currentProgress += 2;
|
currentProgress += 2;
|
||||||
updateProgress(R.string.progress_decompressing_data, currentProgress, 100);
|
updateProgress(R.string.progress_decompressing_data, currentProgress, 100);
|
||||||
|
|
||||||
PGPCompressedData compressedData = (PGPCompressedData) dataChunk;
|
PGPCompressedData compressedData = (PGPCompressedData) dataChunk;
|
||||||
|
|
||||||
PGPObjectFactory fact = new PGPObjectFactory(compressedData.getDataStream(), new JcaKeyFingerprintCalculator());
|
JcaPGPObjectFactory fact = new JcaPGPObjectFactory(compressedData.getDataStream());
|
||||||
dataChunk = fact.nextObject();
|
dataChunk = fact.nextObject();
|
||||||
plainFact = fact;
|
plainFact = fact;
|
||||||
}
|
}
|
||||||
|
|
||||||
PGPOnePassSignature signature = null;
|
PGPOnePassSignature signature = null;
|
||||||
if (dataChunk instanceof PGPOnePassSignatureList) {
|
if (dataChunk instanceof PGPOnePassSignatureList) {
|
||||||
log.add(LogType.MSG_DC_CLEAR_SIGNATURE, indent +1);
|
log.add(LogType.MSG_DC_CLEAR_SIGNATURE, indent + 1);
|
||||||
currentProgress += 2;
|
currentProgress += 2;
|
||||||
updateProgress(R.string.progress_processing_signature, currentProgress, 100);
|
updateProgress(R.string.progress_processing_signature, currentProgress, 100);
|
||||||
|
|
||||||
PGPOnePassSignatureList sigList = (PGPOnePassSignatureList) dataChunk;
|
PGPOnePassSignatureList sigList = (PGPOnePassSignatureList) dataChunk;
|
||||||
|
|
||||||
|
// NOTE: following code is similar to processSignature, but for PGPOnePassSignature
|
||||||
|
|
||||||
// go through all signatures
|
// go through all signatures
|
||||||
// and find out for which signature we have a key in our database
|
// and find out for which signature we have a key in our database
|
||||||
for (int i = 0; i < sigList.size(); ++i) {
|
for (int i = 0; i < sigList.size(); ++i) {
|
||||||
@ -507,7 +534,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
OpenPgpMetadata metadata;
|
OpenPgpMetadata metadata;
|
||||||
|
|
||||||
if (dataChunk instanceof PGPLiteralData) {
|
if (dataChunk instanceof PGPLiteralData) {
|
||||||
log.add(LogType.MSG_DC_CLEAR_DATA, indent +1);
|
log.add(LogType.MSG_DC_CLEAR_DATA, indent + 1);
|
||||||
indent += 2;
|
indent += 2;
|
||||||
currentProgress += 4;
|
currentProgress += 4;
|
||||||
updateProgress(R.string.progress_decrypting, currentProgress, 100);
|
updateProgress(R.string.progress_decrypting, currentProgress, 100);
|
||||||
@ -549,12 +576,12 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
literalData.getModificationTime().getTime(),
|
literalData.getModificationTime().getTime(),
|
||||||
originalSize);
|
originalSize);
|
||||||
|
|
||||||
if ( ! originalFilename.equals("")) {
|
if (!originalFilename.equals("")) {
|
||||||
log.add(LogType.MSG_DC_CLEAR_META_FILE, indent + 1, originalFilename);
|
log.add(LogType.MSG_DC_CLEAR_META_FILE, indent + 1, originalFilename);
|
||||||
}
|
}
|
||||||
log.add(LogType.MSG_DC_CLEAR_META_MIME, indent +1,
|
log.add(LogType.MSG_DC_CLEAR_META_MIME, indent + 1,
|
||||||
mimeType);
|
mimeType);
|
||||||
log.add(LogType.MSG_DC_CLEAR_META_TIME, indent +1,
|
log.add(LogType.MSG_DC_CLEAR_META_TIME, indent + 1,
|
||||||
new Date(literalData.getModificationTime().getTime()).toString());
|
new Date(literalData.getModificationTime().getTime()).toString());
|
||||||
if (originalSize != 0) {
|
if (originalSize != 0) {
|
||||||
log.add(LogType.MSG_DC_CLEAR_META_SIZE, indent + 1,
|
log.add(LogType.MSG_DC_CLEAR_META_SIZE, indent + 1,
|
||||||
@ -589,7 +616,9 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
int length;
|
int length;
|
||||||
byte[] buffer = new byte[1 << 16];
|
byte[] buffer = new byte[1 << 16];
|
||||||
while ((length = dataIn.read(buffer)) > 0) {
|
while ((length = dataIn.read(buffer)) > 0) {
|
||||||
mOutStream.write(buffer, 0, length);
|
if (mOutStream != null) {
|
||||||
|
mOutStream.write(buffer, 0, length);
|
||||||
|
}
|
||||||
|
|
||||||
// update signature buffer if signature is also present
|
// update signature buffer if signature is also present
|
||||||
if (signature != null) {
|
if (signature != null) {
|
||||||
@ -623,9 +652,9 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
// Verify signature and check binding signatures
|
// Verify signature and check binding signatures
|
||||||
boolean validSignature = signature.verify(messageSignature);
|
boolean validSignature = signature.verify(messageSignature);
|
||||||
if (validSignature) {
|
if (validSignature) {
|
||||||
log.add(LogType.MSG_DC_CLEAR_SIGNATURE_OK, indent +1);
|
log.add(LogType.MSG_DC_CLEAR_SIGNATURE_OK, indent + 1);
|
||||||
} else {
|
} else {
|
||||||
log.add(LogType.MSG_DC_CLEAR_SIGNATURE_BAD, indent +1);
|
log.add(LogType.MSG_DC_CLEAR_SIGNATURE_BAD, indent + 1);
|
||||||
}
|
}
|
||||||
signatureResultBuilder.setValidSignature(validSignature);
|
signatureResultBuilder.setValidSignature(validSignature);
|
||||||
}
|
}
|
||||||
@ -687,7 +716,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
|
|
||||||
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
||||||
|
|
||||||
updateProgress(R.string.progress_done, 0, 100);
|
updateProgress(R.string.progress_reading_data, 0, 100);
|
||||||
|
|
||||||
ByteArrayOutputStream lineOut = new ByteArrayOutputStream();
|
ByteArrayOutputStream lineOut = new ByteArrayOutputStream();
|
||||||
int lookAhead = readInputLine(lineOut, aIn);
|
int lookAhead = readInputLine(lineOut, aIn);
|
||||||
@ -707,10 +736,12 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
out.close();
|
out.close();
|
||||||
|
|
||||||
byte[] clearText = out.toByteArray();
|
byte[] clearText = out.toByteArray();
|
||||||
mOutStream.write(clearText);
|
if (mOutStream != null) {
|
||||||
|
mOutStream.write(clearText);
|
||||||
|
}
|
||||||
|
|
||||||
updateProgress(R.string.progress_processing_signature, 60, 100);
|
updateProgress(R.string.progress_processing_signature, 60, 100);
|
||||||
PGPObjectFactory pgpFact = new PGPObjectFactory(aIn, new JcaKeyFingerprintCalculator());
|
JcaPGPObjectFactory pgpFact = new JcaPGPObjectFactory(aIn);
|
||||||
|
|
||||||
PGPSignatureList sigList = (PGPSignatureList) pgpFact.nextObject();
|
PGPSignatureList sigList = (PGPSignatureList) pgpFact.nextObject();
|
||||||
if (sigList == null) {
|
if (sigList == null) {
|
||||||
@ -718,45 +749,7 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
||||||
}
|
}
|
||||||
|
|
||||||
CanonicalizedPublicKeyRing signingRing = null;
|
PGPSignature signature = processPGPSignatureList(sigList, signatureResultBuilder);
|
||||||
CanonicalizedPublicKey signingKey = null;
|
|
||||||
int signatureIndex = -1;
|
|
||||||
|
|
||||||
// go through all signatures
|
|
||||||
// and find out for which signature we have a key in our database
|
|
||||||
for (int i = 0; i < sigList.size(); ++i) {
|
|
||||||
try {
|
|
||||||
long sigKeyId = sigList.get(i).getKeyID();
|
|
||||||
signingRing = mProviderHelper.getCanonicalizedPublicKeyRing(
|
|
||||||
KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(sigKeyId)
|
|
||||||
);
|
|
||||||
signingKey = signingRing.getPublicKey(sigKeyId);
|
|
||||||
signatureIndex = i;
|
|
||||||
} catch (ProviderHelper.NotFoundException e) {
|
|
||||||
Log.d(Constants.TAG, "key not found, trying next signature...");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
PGPSignature signature = null;
|
|
||||||
|
|
||||||
if (signingKey != null) {
|
|
||||||
// key found in our database!
|
|
||||||
signature = sigList.get(signatureIndex);
|
|
||||||
|
|
||||||
signatureResultBuilder.initValid(signingRing, signingKey);
|
|
||||||
|
|
||||||
JcaPGPContentVerifierBuilderProvider contentVerifierBuilderProvider =
|
|
||||||
new JcaPGPContentVerifierBuilderProvider()
|
|
||||||
.setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME);
|
|
||||||
signature.init(contentVerifierBuilderProvider, signingKey.getPublicKey());
|
|
||||||
} else {
|
|
||||||
// no key in our database -> return "unknown pub key" status including the first key id
|
|
||||||
if (!sigList.isEmpty()) {
|
|
||||||
signatureResultBuilder.setSignatureAvailable(true);
|
|
||||||
signatureResultBuilder.setKnownKey(false);
|
|
||||||
signatureResultBuilder.setKeyId(sigList.get(0).getKeyID());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (signature != null) {
|
if (signature != null) {
|
||||||
try {
|
try {
|
||||||
@ -804,6 +797,134 @@ public class PgpDecryptVerify extends BaseOperation {
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private DecryptVerifyResult verifyDetachedSignature(InputStream in, int indent)
|
||||||
|
throws IOException, PGPException {
|
||||||
|
|
||||||
|
OperationLog log = new OperationLog();
|
||||||
|
|
||||||
|
OpenPgpSignatureResultBuilder signatureResultBuilder = new OpenPgpSignatureResultBuilder();
|
||||||
|
// detached signatures are never encrypted
|
||||||
|
signatureResultBuilder.setSignatureOnly(true);
|
||||||
|
|
||||||
|
updateProgress(R.string.progress_processing_signature, 0, 100);
|
||||||
|
InputStream detachedSigIn = new ByteArrayInputStream(mDetachedSignature);
|
||||||
|
detachedSigIn = PGPUtil.getDecoderStream(detachedSigIn);
|
||||||
|
|
||||||
|
JcaPGPObjectFactory pgpFact = new JcaPGPObjectFactory(detachedSigIn);
|
||||||
|
|
||||||
|
PGPSignatureList sigList;
|
||||||
|
Object o = pgpFact.nextObject();
|
||||||
|
if (o instanceof PGPCompressedData) {
|
||||||
|
PGPCompressedData c1 = (PGPCompressedData) o;
|
||||||
|
pgpFact = new JcaPGPObjectFactory(c1.getDataStream());
|
||||||
|
sigList = (PGPSignatureList) pgpFact.nextObject();
|
||||||
|
} else if (o instanceof PGPSignatureList) {
|
||||||
|
sigList = (PGPSignatureList) o;
|
||||||
|
} else {
|
||||||
|
log.add(LogType.MSG_DC_ERROR_INVALID_SIGLIST, 0);
|
||||||
|
return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
|
||||||
|
}
|
||||||
|
|
||||||
|
PGPSignature signature = processPGPSignatureList(sigList, signatureResultBuilder);
|
||||||
|
|
||||||
|
if (signature != null) {
|
||||||
|
updateProgress(R.string.progress_reading_data, 60, 100);
|
||||||
|
|
||||||
|
ProgressScaler progressScaler = new ProgressScaler(mProgressable, 60, 90, 100);
|
||||||
|
long alreadyWritten = 0;
|
||||||
|
long wholeSize = mData.getSize() - mData.getStreamPosition();
|
||||||
|
int length;
|
||||||
|
byte[] buffer = new byte[1 << 16];
|
||||||
|
while ((length = in.read(buffer)) > 0) {
|
||||||
|
if (mOutStream != null) {
|
||||||
|
mOutStream.write(buffer, 0, length);
|
||||||
|
}
|
||||||
|
|
||||||
|
// update signature buffer if signature is also present
|
||||||
|
signature.update(buffer, 0, length);
|
||||||
|
|
||||||
|
alreadyWritten += length;
|
||||||
|
if (wholeSize > 0) {
|
||||||
|
long progress = 100 * alreadyWritten / wholeSize;
|
||||||
|
// stop at 100% for wrong file sizes...
|
||||||
|
if (progress > 100) {
|
||||||
|
progress = 100;
|
||||||
|
}
|
||||||
|
progressScaler.setProgress((int) progress, 100);
|
||||||
|
} else {
|
||||||
|
// TODO: slow annealing to fake a progress?
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
updateProgress(R.string.progress_verifying_signature, 90, 100);
|
||||||
|
log.add(LogType.MSG_DC_CLEAR_SIGNATURE_CHECK, indent);
|
||||||
|
|
||||||
|
// these are not cleartext signatures!
|
||||||
|
signatureResultBuilder.setSignatureOnly(false);
|
||||||
|
|
||||||
|
// Verify signature and check binding signatures
|
||||||
|
boolean validSignature = signature.verify();
|
||||||
|
if (validSignature) {
|
||||||
|
log.add(LogType.MSG_DC_CLEAR_SIGNATURE_OK, indent + 1);
|
||||||
|
} else {
|
||||||
|
log.add(LogType.MSG_DC_CLEAR_SIGNATURE_BAD, indent + 1);
|
||||||
|
}
|
||||||
|
signatureResultBuilder.setValidSignature(validSignature);
|
||||||
|
}
|
||||||
|
|
||||||
|
updateProgress(R.string.progress_done, 100, 100);
|
||||||
|
|
||||||
|
log.add(LogType.MSG_DC_OK, indent);
|
||||||
|
|
||||||
|
DecryptVerifyResult result = new DecryptVerifyResult(DecryptVerifyResult.RESULT_OK, log);
|
||||||
|
result.setSignatureResult(signatureResultBuilder.build());
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
private PGPSignature processPGPSignatureList(PGPSignatureList sigList, OpenPgpSignatureResultBuilder signatureResultBuilder) throws PGPException {
|
||||||
|
CanonicalizedPublicKeyRing signingRing = null;
|
||||||
|
CanonicalizedPublicKey signingKey = null;
|
||||||
|
int signatureIndex = -1;
|
||||||
|
|
||||||
|
// go through all signatures
|
||||||
|
// and find out for which signature we have a key in our database
|
||||||
|
for (int i = 0; i < sigList.size(); ++i) {
|
||||||
|
try {
|
||||||
|
long sigKeyId = sigList.get(i).getKeyID();
|
||||||
|
signingRing = mProviderHelper.getCanonicalizedPublicKeyRing(
|
||||||
|
KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(sigKeyId)
|
||||||
|
);
|
||||||
|
signingKey = signingRing.getPublicKey(sigKeyId);
|
||||||
|
signatureIndex = i;
|
||||||
|
} catch (ProviderHelper.NotFoundException e) {
|
||||||
|
Log.d(Constants.TAG, "key not found, trying next signature...");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
PGPSignature signature = null;
|
||||||
|
|
||||||
|
if (signingKey != null) {
|
||||||
|
// key found in our database!
|
||||||
|
signature = sigList.get(signatureIndex);
|
||||||
|
|
||||||
|
signatureResultBuilder.initValid(signingRing, signingKey);
|
||||||
|
|
||||||
|
JcaPGPContentVerifierBuilderProvider contentVerifierBuilderProvider =
|
||||||
|
new JcaPGPContentVerifierBuilderProvider()
|
||||||
|
.setProvider(Constants.BOUNCY_CASTLE_PROVIDER_NAME);
|
||||||
|
signature.init(contentVerifierBuilderProvider, signingKey.getPublicKey());
|
||||||
|
} else {
|
||||||
|
// no key in our database -> return "unknown pub key" status including the first key id
|
||||||
|
if (!sigList.isEmpty()) {
|
||||||
|
signatureResultBuilder.setSignatureAvailable(true);
|
||||||
|
signatureResultBuilder.setKnownKey(false);
|
||||||
|
signatureResultBuilder.setKeyId(sigList.get(0).getKeyID());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return signature;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Mostly taken from ClearSignedFileProcessor in Bouncy Castle
|
* Mostly taken from ClearSignedFileProcessor in Bouncy Castle
|
||||||
*/
|
*/
|
||||||
|
@ -481,7 +481,8 @@ public class OpenPgpService extends RemoteService {
|
|||||||
InputStream is = new ParcelFileDescriptor.AutoCloseInputStream(input);
|
InputStream is = new ParcelFileDescriptor.AutoCloseInputStream(input);
|
||||||
|
|
||||||
OutputStream os;
|
OutputStream os;
|
||||||
if (decryptMetadataOnly) {
|
// output is optional, e.g., for verifying detached signatures
|
||||||
|
if (decryptMetadataOnly || output == null) {
|
||||||
os = null;
|
os = null;
|
||||||
} else {
|
} else {
|
||||||
os = new ParcelFileDescriptor.AutoCloseOutputStream(output);
|
os = new ParcelFileDescriptor.AutoCloseOutputStream(output);
|
||||||
@ -498,15 +499,17 @@ public class OpenPgpService extends RemoteService {
|
|||||||
|
|
||||||
byte[] nfcDecryptedSessionKey = data.getByteArrayExtra(OpenPgpApi.EXTRA_NFC_DECRYPTED_SESSION_KEY);
|
byte[] nfcDecryptedSessionKey = data.getByteArrayExtra(OpenPgpApi.EXTRA_NFC_DECRYPTED_SESSION_KEY);
|
||||||
|
|
||||||
|
byte[] detachedSignature = data.getByteArrayExtra(OpenPgpApi.EXTRA_DETACHED_SIGNATURE);
|
||||||
|
|
||||||
// allow only private keys associated with accounts of this app
|
// allow only private keys associated with accounts of this app
|
||||||
// no support for symmetric encryption
|
// no support for symmetric encryption
|
||||||
builder.setPassphrase(passphrase)
|
builder.setPassphrase(passphrase)
|
||||||
.setAllowSymmetricDecryption(false)
|
.setAllowSymmetricDecryption(false)
|
||||||
.setAllowedKeyIds(allowedKeyIds)
|
.setAllowedKeyIds(allowedKeyIds)
|
||||||
.setDecryptMetadataOnly(decryptMetadataOnly)
|
.setDecryptMetadataOnly(decryptMetadataOnly)
|
||||||
.setNfcState(nfcDecryptedSessionKey);
|
.setNfcState(nfcDecryptedSessionKey)
|
||||||
|
.setDetachedSignature(detachedSignature);
|
||||||
|
|
||||||
// TODO: currently does not support binary signed-only content
|
|
||||||
DecryptVerifyResult pgpResult = builder.build().execute();
|
DecryptVerifyResult pgpResult = builder.build().execute();
|
||||||
|
|
||||||
if (pgpResult.isPending()) {
|
if (pgpResult.isPending()) {
|
||||||
@ -678,15 +681,16 @@ public class OpenPgpService extends RemoteService {
|
|||||||
|
|
||||||
// version code is required and needs to correspond to version code of service!
|
// version code is required and needs to correspond to version code of service!
|
||||||
// History of versions in org.openintents.openpgp.util.OpenPgpApi
|
// History of versions in org.openintents.openpgp.util.OpenPgpApi
|
||||||
// we support 3, 4, 5
|
// we support 3, 4, 5, 6
|
||||||
if (data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) != 3
|
if (data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) != 3
|
||||||
&& data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) != 4
|
&& data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) != 4
|
||||||
&& data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) != 5) {
|
&& data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) != 5
|
||||||
|
&& data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) != 6) {
|
||||||
Intent result = new Intent();
|
Intent result = new Intent();
|
||||||
OpenPgpError error = new OpenPgpError
|
OpenPgpError error = new OpenPgpError
|
||||||
(OpenPgpError.INCOMPATIBLE_API_VERSIONS, "Incompatible API versions!\n"
|
(OpenPgpError.INCOMPATIBLE_API_VERSIONS, "Incompatible API versions!\n"
|
||||||
+ "used API version: " + data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) + "\n"
|
+ "used API version: " + data.getIntExtra(OpenPgpApi.EXTRA_API_VERSION, -1) + "\n"
|
||||||
+ "supported API versions: 3, 4");
|
+ "supported API versions: 3, 4, 5, 6");
|
||||||
result.putExtra(OpenPgpApi.RESULT_ERROR, error);
|
result.putExtra(OpenPgpApi.RESULT_ERROR, error);
|
||||||
result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_ERROR);
|
result.putExtra(OpenPgpApi.RESULT_CODE, OpenPgpApi.RESULT_CODE_ERROR);
|
||||||
return result;
|
return result;
|
||||||
|
2
extern/openpgp-api-lib
vendored
2
extern/openpgp-api-lib
vendored
@ -1 +1 @@
|
|||||||
Subproject commit edcc61970f24bb3601af26d89f49d384e7a3aff6
|
Subproject commit 4f5fcbf94063301929d50370ab44895c6b4e1bd3
|
Loading…
Reference in New Issue
Block a user