moparisthebest/open-keychain
1
0
Fork 0
mirror of https://github.com/moparisthebest/open-keychain synced 2025-02-17 07:30:14 -05:00
Code Issues Releases Wiki Activity

fix signatures produced by yubikey

Browse Source 
The timestamp was only set on a second run. This led to a race
condition whether the signature could be completed within the
same timestamp.

Fixes #834
This commit is contained in:
Vincent Breitmoser 2014-09-24 01:37:28 +02:00
parent 07e8729abf
commit d588b13255
1 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java
View File

@ -199,14 +199,6 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey {
private PGPContentSignerBuilder getContentSignerBuilder(int hashAlgo, byte[] nfcSignedHash, private PGPContentSignerBuilder getContentSignerBuilder(int hashAlgo, byte[] nfcSignedHash,
Date nfcCreationTimestamp) { Date nfcCreationTimestamp) {
if (mPrivateKeyState == PRIVATE_KEY_STATE_DIVERT_TO_CARD) { if (mPrivateKeyState == PRIVATE_KEY_STATE_DIVERT_TO_CARD) {
// to sign using nfc PgpSignEncrypt is executed two times.
// the first time it stops to return the PendingIntent for nfc connection and signing the hash
// the second time the signed hash is used.
// to get the same hash we cache the timestamp for the second round!
if (nfcCreationTimestamp == null) {
nfcCreationTimestamp = new Date();
}
// use synchronous "NFC based" SignerBuilder // use synchronous "NFC based" SignerBuilder
return new NfcSyncPGPContentSignerBuilder( return new NfcSyncPGPContentSignerBuilder(
mSecretKey.getPublicKey().getAlgorithm(), hashAlgo, mSecretKey.getPublicKey().getAlgorithm(), hashAlgo,
@ -226,6 +218,20 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey {
if (mPrivateKeyState == PRIVATE_KEY_STATE_LOCKED) { if (mPrivateKeyState == PRIVATE_KEY_STATE_LOCKED) {
throw new PrivateKeyNotUnlockedException(); throw new PrivateKeyNotUnlockedException();
} }
if (nfcSignedHash != null && nfcCreationTimestamp == null) {
throw new PgpGeneralException("Got nfc hash without timestamp!!");
}
// We explicitly create a signature creation timestamp in this place.
// That way, we can inject an artificial one from outside, ie the one
// used in previous runs of this function.
if (nfcCreationTimestamp == null) {
// to sign using nfc PgpSignEncrypt is executed two times.
// the first time it stops to return the PendingIntent for nfc connection and signing the hash
// the second time the signed hash is used.
// to get the same hash we cache the timestamp for the second round!
nfcCreationTimestamp = new Date();
}
PGPContentSignerBuilder contentSignerBuilder = getContentSignerBuilder(hashAlgo, PGPContentSignerBuilder contentSignerBuilder = getContentSignerBuilder(hashAlgo,
nfcSignedHash, nfcCreationTimestamp); nfcSignedHash, nfcCreationTimestamp);
@ -244,10 +250,7 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey {
PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator(); PGPSignatureSubpacketGenerator spGen = new PGPSignatureSubpacketGenerator();
spGen.setSignerUserID(false, mRing.getPrimaryUserIdWithFallback()); spGen.setSignerUserID(false, mRing.getPrimaryUserIdWithFallback());
if (nfcCreationTimestamp != null) {
spGen.setSignatureCreationTime(false, nfcCreationTimestamp); spGen.setSignatureCreationTime(false, nfcCreationTimestamp);
Log.d(Constants.TAG, "For NFC: set sig creation time to " + nfcCreationTimestamp);
}
signatureGenerator.setHashedSubpackets(spGen.generate()); signatureGenerator.setHashedSubpackets(spGen.generate());
return signatureGenerator; return signatureGenerator;
} catch (PGPException e) { } catch (PGPException e) {