cthrace/open-keychain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Dont allow RSA_SIGN, RSA_ENCRYPT, deprecated in RFC

Browse Source
This commit is contained in:
Dominik Schürmann
2015-08-10 13:54:25 +02:00
parent 8719938306
commit 74c80d4a9d
1 changed files with 3 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSecurityConstants.java
View File

@@ -101,9 +101,6 @@ public class PgpSecurityConstants {
* all other algorithms are rejected with OpenPgpSignatureResult.RESULT_INSECURE or * all other algorithms are rejected with OpenPgpSignatureResult.RESULT_INSECURE or
* OpenPgpDecryptionResult.RESULT_INSECURE * OpenPgpDecryptionResult.RESULT_INSECURE
* *
* REASON:
* Don't allow ELGAMAL_GENERAL (20), reason in RFC
*
* coorus: * coorus:
* Implementations MUST NOT accept, or treat any signature as valid, by an RSA key with * Implementations MUST NOT accept, or treat any signature as valid, by an RSA key with
* bitlength less than 1023 bits. * bitlength less than 1023 bits.
@@ -118,25 +115,21 @@ public class PgpSecurityConstants {
public static boolean isSecureKey(CanonicalizedPublicKey key) { public static boolean isSecureKey(CanonicalizedPublicKey key) {
switch (key.getAlgorithm()) { switch (key.getAlgorithm()) {
case PublicKeyAlgorithmTags.RSA_GENERAL: case PublicKeyAlgorithmTags.RSA_GENERAL: {
case PublicKeyAlgorithmTags.RSA_ENCRYPT:
case PublicKeyAlgorithmTags.RSA_SIGN: {
return (key.getBitStrength() >= 2048); return (key.getBitStrength() >= 2048);
} }
// RSA_ENCRYPT, RSA_SIGN: deprecated in RFC 4880, use RSA_GENERAL with key flags
case PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT: { case PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT: {
return (key.getBitStrength() >= 2048); return (key.getBitStrength() >= 2048);
} }
case PublicKeyAlgorithmTags.DSA: { case PublicKeyAlgorithmTags.DSA: {
return (key.getBitStrength() >= 2048); return (key.getBitStrength() >= 2048);
} }
case PublicKeyAlgorithmTags.ECDH: case PublicKeyAlgorithmTags.ECDH:
case PublicKeyAlgorithmTags.ECDSA: { case PublicKeyAlgorithmTags.ECDSA: {
return PgpSecurityConstants.sCurveWhitelist.contains(key.getCurveOid()); return PgpSecurityConstants.sCurveWhitelist.contains(key.getCurveOid());
} }
// ELGAMAL_GENERAL: Must not be used, use ELGAMAL_ENCRYPT // ELGAMAL_GENERAL: deprecated in RFC 4880, use ELGAMAL_ENCRYPT
// DIFFIE_HELLMAN: unsure // DIFFIE_HELLMAN: unsure
default: default:
return false; return false;