cthrace/open-keychain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Better selection of preferred algorithm

Browse Source
This commit is contained in:
Dominik Schürmann
2015-03-05 10:49:57 +01:00
parent 8c8fdd6c49
commit c121657c2c
11 changed files with 99 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java
View File

@@ -20,6 +20,7 @@ package org.sufficientlysecure.keychain.pgp;
import org.spongycastle.bcpg.HashAlgorithmTags;
import org.spongycastle.bcpg.S2K;
import org.spongycastle.bcpg.SymmetricKeyAlgorithmTags;
import org.spongycastle.openpgp.PGPException;
import org.spongycastle.openpgp.PGPPrivateKey;
import org.spongycastle.openpgp.PGPPublicKey;
@@ -137,7 +138,7 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey {
// It means the passphrase is empty
return SecretKeyType.PASSPHRASE_EMPTY;
} catch (PGPException e) {
HashMap<String,String> notation = getRing().getLocalNotationData();
HashMap<String, String> notation = getRing().getLocalNotationData();
if (notation.containsKey("unlock.pin@sufficientlysecure.org")
&& "1".equals(notation.get("unlock.pin@sufficientlysecure.org"))) {
return SecretKeyType.PIN;
@@ -179,7 +180,7 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey {
* Returns a list of all supported hash algorithms. This list is currently hardcoded to return
* a limited set of algorithms supported by Yubikeys.
*
* @return
* TODO: look into preferred algos of this key?
*/
public LinkedList<Integer> getSupportedHashAlgorithms() {
LinkedList<Integer> supported = new LinkedList<>();
@@ -187,24 +188,41 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey {
if (mPrivateKeyState == PRIVATE_KEY_STATE_DIVERT_TO_CARD) {
// No support for MD5
supported.add(HashAlgorithmTags.RIPEMD160);
supported.add(HashAlgorithmTags.SHA1);
// don't allow SHA1
supported.add(HashAlgorithmTags.SHA224);
supported.add(HashAlgorithmTags.SHA256);
supported.add(HashAlgorithmTags.SHA384);
supported.add(HashAlgorithmTags.SHA512); // preferred is latest
supported.add(HashAlgorithmTags.SHA512);
supported.add(HashAlgorithmTags.SHA256); // preferred is latest
} else {
supported.add(HashAlgorithmTags.MD5);
// NOTE: List of hash algorithms OpenKeychain wants to support!
// don't allow MD5
supported.add(HashAlgorithmTags.RIPEMD160);
supported.add(HashAlgorithmTags.SHA1);
// don't allow SHA1
supported.add(HashAlgorithmTags.SHA224);
supported.add(HashAlgorithmTags.SHA256);
supported.add(HashAlgorithmTags.SHA384);
supported.add(HashAlgorithmTags.SHA512); // preferred is latest
supported.add(HashAlgorithmTags.SHA512);
supported.add(HashAlgorithmTags.SHA256); // preferred is latest
// some application don't support SHA512, thus preferred is SHA-256 (Mailvelope?)
}
return supported;
}
/**
* TODO: look into preferred algos of this key?
*/
public static LinkedList<Integer> getSupportedEncryptionAlgorithms() {
LinkedList<Integer> supported = new LinkedList<>();
supported.add(SymmetricKeyAlgorithmTags.TWOFISH);
supported.add(SymmetricKeyAlgorithmTags.AES_128);
supported.add(SymmetricKeyAlgorithmTags.AES_192);
supported.add(SymmetricKeyAlgorithmTags.AES_256); // preferred is latest
return supported;
}
private PGPContentSignerBuilder getContentSignerBuilder(int hashAlgo, byte[] nfcSignedHash,
Date nfcCreationTimestamp) {
if (mPrivateKeyState == PRIVATE_KEY_STATE_DIVERT_TO_CARD) {
@@ -358,7 +376,7 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey {
}
// HACK, for TESTING ONLY!!
PGPPrivateKey getPrivateKey () {
PGPPrivateKey getPrivateKey() {
return mPrivateKey;
}

4
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKeyRing.java
View File

@@ -19,11 +19,11 @@
package org.sufficientlysecure.keychain.pgp;
import org.spongycastle.openpgp.PGPKeyRing;
import org.spongycastle.openpgp.PGPObjectFactory;
import org.spongycastle.openpgp.PGPPublicKey;
import org.spongycastle.openpgp.PGPSecretKey;
import org.spongycastle.openpgp.PGPSecretKeyRing;
import org.spongycastle.openpgp.PGPSignature;
import org.spongycastle.openpgp.jcajce.JcaPGPObjectFactory;
import org.sufficientlysecure.keychain.Constants;
import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException;
import org.sufficientlysecure.keychain.util.IterableIterator;
@@ -45,7 +45,7 @@ public class CanonicalizedSecretKeyRing extends CanonicalizedKeyRing {
public CanonicalizedSecretKeyRing(byte[] blob, boolean isRevoked, int verified)
{
super(verified);
PGPObjectFactory factory = new PGPObjectFactory(blob);
JcaPGPObjectFactory factory = new JcaPGPObjectFactory(blob);
PGPKeyRing keyRing = null;
try {
if ((keyRing = (PGPKeyRing) factory.nextObject()) == null) {

2
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpKeyOperation.java
View File

@@ -95,7 +95,7 @@ public class PgpKeyOperation {
SymmetricKeyAlgorithmTags.AES_256,
SymmetricKeyAlgorithmTags.AES_192,
SymmetricKeyAlgorithmTags.AES_128,
SymmetricKeyAlgorithmTags.CAST5
SymmetricKeyAlgorithmTags.TWOFISH
};
private static final int[] PREFERRED_HASH_ALGORITHMS = new int[]{
HashAlgorithmTags.SHA512,

4
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptInput.java
View File

@@ -12,10 +12,10 @@ public class PgpSignEncryptInput {
protected int mCompressionId = CompressionAlgorithmTags.UNCOMPRESSED;
protected long[] mEncryptionMasterKeyIds = null;
protected String mSymmetricPassphrase = null;
protected int mSymmetricEncryptionAlgorithm = 0;
protected int mSymmetricEncryptionAlgorithm = Constants.OpenKeychainSymmetricKeyAlgorithmTags.USE_PREFERRED;
protected long mSignatureMasterKeyId = Constants.key.none;
protected Long mSignatureSubKeyId = null;
protected int mSignatureHashAlgorithm = 0;
protected int mSignatureHashAlgorithm = Constants.OpenKeychainHashAlgorithmTags.USE_PREFERRED;
protected String mSignaturePassphrase = null;
protected long mAdditionalEncryptId = Constants.key.none;
protected byte[] mNfcSignedHash = null;

12
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpSignEncryptOperation.java
View File

@@ -25,7 +25,6 @@ import org.spongycastle.bcpg.ArmoredOutputStream;
import org.spongycastle.bcpg.BCPGOutputStream;
import org.spongycastle.bcpg.CompressionAlgorithmTags;
import org.spongycastle.openpgp.PGPCompressedDataGenerator;
import org.spongycastle.openpgp.PGPEncryptedData;
import org.spongycastle.openpgp.PGPEncryptedDataGenerator;
import org.spongycastle.openpgp.PGPException;
import org.spongycastle.openpgp.PGPLiteralData;
@@ -206,10 +205,10 @@ public class PgpSignEncryptOperation extends BaseOperation {
return new PgpSignEncryptResult(PgpSignEncryptResult.RESULT_ERROR, log);
}
// check if hash algo is supported
// Use preferred hash algo
int requestedAlgorithm = input.getSignatureHashAlgorithm();
LinkedList<Integer> supported = signingKey.getSupportedHashAlgorithms();
if (requestedAlgorithm == 0) {
if (requestedAlgorithm == Constants.OpenKeychainHashAlgorithmTags.USE_PREFERRED) {
// get most preferred
input.setSignatureHashAlgorithm(supported.getLast());
} else if (!supported.contains(requestedAlgorithm)) {
@@ -222,9 +221,12 @@ public class PgpSignEncryptOperation extends BaseOperation {
/* Initialize PGPEncryptedDataGenerator for later usage */
PGPEncryptedDataGenerator cPk = null;
if (enableEncryption) {
// Use preferred encryption algo
int algo = input.getSymmetricEncryptionAlgorithm();
if (algo == 0) {
algo = PGPEncryptedData.AES_128;
if (algo == Constants.OpenKeychainSymmetricKeyAlgorithmTags.USE_PREFERRED) {
// get most preferred
algo = CanonicalizedSecretKey.getSupportedEncryptionAlgorithms().getLast();
}
// has Integrity packet enabled!
JcePGPDataEncryptorBuilder encryptorBuilder =