Merge branch 'master' of github.com:open-keychain/open-keychain
This commit is contained in:
Vincent Breitmoser
@@ -23,6 +23,7 @@ import org.spongycastle.bcpg.HashAlgorithmTags;
|
||||
import org.spongycastle.bcpg.PublicKeyAlgorithmTags;
|
||||
import org.spongycastle.bcpg.SymmetricKeyAlgorithmTags;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
|
||||
/**
|
||||
@@ -42,24 +43,23 @@ public class PgpSecurityConstants {
|
||||
* Whitelist of accepted symmetric encryption algorithms
|
||||
* all other algorithms are rejected with OpenPgpDecryptionResult.RESULT_INSECURE
|
||||
*/
|
||||
private static HashSet<Integer> sSymmetricAlgorithmsWhitelist = new HashSet<>();
|
||||
static {
|
||||
// General remarks: We try to keep the whitelist short to reduce attack surface
|
||||
// TODO: block IDEA?: Bad key schedule (weak keys), implementation difficulties (easy to make errors)
|
||||
sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.IDEA);
|
||||
sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.TRIPLE_DES); // a MUST in RFC
|
||||
sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.CAST5); // default in many gpg, pgp versions, 128 bit key
|
||||
// BLOWFISH: Twofish is the successor
|
||||
// SAFER: not used widely
|
||||
// DES: < 128 bit security
|
||||
sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.AES_128);
|
||||
sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.AES_192);
|
||||
sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.AES_256);
|
||||
sSymmetricAlgorithmsWhitelist.add(SymmetricKeyAlgorithmTags.TWOFISH); // 128 bit
|
||||
// CAMELLIA_128: not used widely
|
||||
// CAMELLIA_192: not used widely
|
||||
// CAMELLIA_256: not used widely
|
||||
}
|
||||
private static HashSet<Integer> sSymmetricAlgorithmsWhitelist = new HashSet<>(Arrays.asList(
|
||||
// General remarks: We try to keep the whitelist short to reduce attack surface
|
||||
// TODO: block IDEA?: Bad key schedule (weak keys), implementation difficulties (easy to make errors)
|
||||
SymmetricKeyAlgorithmTags.IDEA,
|
||||
SymmetricKeyAlgorithmTags.TRIPLE_DES, // a MUST in RFC
|
||||
SymmetricKeyAlgorithmTags.CAST5, // default in many gpg, pgp versions, 128 bit key
|
||||
// BLOWFISH: Twofish is the successor
|
||||
// SAFER: not used widely
|
||||
// DES: < 128 bit security
|
||||
SymmetricKeyAlgorithmTags.AES_128,
|
||||
SymmetricKeyAlgorithmTags.AES_192,
|
||||
SymmetricKeyAlgorithmTags.AES_256,
|
||||
SymmetricKeyAlgorithmTags.TWOFISH // 128 bit
|
||||
// CAMELLIA_128: not used widely
|
||||
// CAMELLIA_192: not used widely
|
||||
// CAMELLIA_256: not used widely
|
||||
));
|
||||
|
||||
public static boolean isSecureSymmetricAlgorithm(int id) {
|
||||
return sSymmetricAlgorithmsWhitelist.contains(id);
|
||||
@@ -77,20 +77,19 @@ public class PgpSecurityConstants {
|
||||
* ((collision resistance of 112-bits))
|
||||
* Implementations SHOULD NOT sign SHA-256 hashes. They MUST NOT default to signing SHA-256 hashes.
|
||||
*/
|
||||
private static HashSet<Integer> sHashAlgorithmsWhitelist = new HashSet<>();
|
||||
static {
|
||||
// MD5: broken
|
||||
// SHA1: broken
|
||||
// RIPEMD160: same security properties as SHA1
|
||||
// DOUBLE_SHA: not used widely
|
||||
// MD2: not used widely
|
||||
// TIGER_192: not used widely
|
||||
// HAVAL_5_160: not used widely
|
||||
sHashAlgorithmsWhitelist.add(HashAlgorithmTags.SHA256); // compatibility for old Mailvelope versions
|
||||
sHashAlgorithmsWhitelist.add(HashAlgorithmTags.SHA384);
|
||||
sHashAlgorithmsWhitelist.add(HashAlgorithmTags.SHA512);
|
||||
// SHA224: Not used widely, Yahoo argues against it
|
||||
}
|
||||
private static HashSet<Integer> sHashAlgorithmsWhitelist = new HashSet<>(Arrays.asList(
|
||||
// MD5: broken
|
||||
// SHA1: broken
|
||||
// RIPEMD160: same security properties as SHA1
|
||||
// DOUBLE_SHA: not used widely
|
||||
// MD2: not used widely
|
||||
// TIGER_192: not used widely
|
||||
// HAVAL_5_160: not used widely
|
||||
HashAlgorithmTags.SHA256, // compatibility for old Mailvelope versions
|
||||
HashAlgorithmTags.SHA384,
|
||||
HashAlgorithmTags.SHA512
|
||||
// SHA224: Not used widely, Yahoo argues against it
|
||||
));
|
||||
|
||||
public static boolean isSecureHashAlgorithm(int id) {
|
||||
return sHashAlgorithmsWhitelist.contains(id);
|
||||
@@ -106,12 +105,11 @@ public class PgpSecurityConstants {
|
||||
* bitlength less than 1023 bits.
|
||||
* Implementations MUST NOT accept any RSA keys with bitlength less than 2047 bits after January 1, 2016.
|
||||
*/
|
||||
private static HashSet<String> sCurveWhitelist = new HashSet<>();
|
||||
static {
|
||||
sCurveWhitelist.add(NISTNamedCurves.getOID("P-256").getId());
|
||||
sCurveWhitelist.add(NISTNamedCurves.getOID("P-384").getId());
|
||||
sCurveWhitelist.add(NISTNamedCurves.getOID("P-521").getId());
|
||||
}
|
||||
private static HashSet<String> sCurveWhitelist = new HashSet<>(Arrays.asList(
|
||||
NISTNamedCurves.getOID("P-256").getId(),
|
||||
NISTNamedCurves.getOID("P-384").getId(),
|
||||
NISTNamedCurves.getOID("P-521").getId()
|
||||
));
|
||||
|
||||
public static boolean isSecureKey(CanonicalizedPublicKey key) {
|
||||
switch (key.getAlgorithm()) {
|
||||
|
||||
@@ -243,7 +243,7 @@ public class AppsListFragment extends ListFragment implements
|
||||
null,
|
||||
isInstalled(packageName),
|
||||
1, // registered!
|
||||
R.drawable.ic_launcher // icon is retrieved later
|
||||
R.mipmap.ic_launcher // icon is retrieved later
|
||||
});
|
||||
break;
|
||||
}
|
||||
@@ -265,7 +265,7 @@ public class AppsListFragment extends ListFragment implements
|
||||
name,
|
||||
isInstalled(packageName),
|
||||
1, // registered!
|
||||
R.drawable.ic_launcher // icon is retrieved later
|
||||
R.mipmap.ic_launcher // icon is retrieved later
|
||||
});
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -427,7 +427,7 @@ public class KeyserverSyncAdapterService extends Service {
|
||||
private Notification getOrbotNoification(Context context) {
|
||||
NotificationCompat.Builder builder = new NotificationCompat.Builder(context);
|
||||
builder.setSmallIcon(R.drawable.ic_stat_notify_24dp)
|
||||
.setLargeIcon(getBitmap(R.drawable.ic_launcher, context))
|
||||
.setLargeIcon(getBitmap(R.mipmap.ic_launcher, context))
|
||||
.setContentTitle(context.getString(R.string.keyserver_sync_orbot_notif_title))
|
||||
.setContentText(context.getString(R.string.keyserver_sync_orbot_notif_msg))
|
||||
.setAutoCancel(true);
|
||||
|
||||
@@ -509,7 +509,7 @@ public class PassphraseCacheService extends Service {
|
||||
private Notification getNotification() {
|
||||
NotificationCompat.Builder builder = new NotificationCompat.Builder(this);
|
||||
builder.setSmallIcon(R.drawable.ic_stat_notify_24dp)
|
||||
.setLargeIcon(getBitmap(R.drawable.ic_launcher, getBaseContext()))
|
||||
.setLargeIcon(getBitmap(R.mipmap.ic_launcher, getBaseContext()))
|
||||
.setContentTitle(getResources().getQuantityString(R.plurals.passp_cache_notif_n_keys,
|
||||
mPassphraseCache.size(), mPassphraseCache.size()))
|
||||
.setContentText(getString(R.string.passp_cache_notif_click_to_clear));
|
||||
@@ -601,4 +601,4 @@ public class PassphraseCacheService extends Service {
|
||||
this.passphrase = passphrase;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -448,7 +448,7 @@ public class DecryptListFragment
|
||||
new Intent(intent)
|
||||
.setClass(activity, DisplayTextActivity.class)
|
||||
.putExtra(DisplayTextActivity.EXTRA_METADATA, result),
|
||||
BuildConfig.APPLICATION_ID, R.string.view_internal, R.drawable.ic_launcher);
|
||||
BuildConfig.APPLICATION_ID, R.string.view_internal, R.mipmap.ic_launcher);
|
||||
|
||||
Intent chooserIntent = Intent.createChooser(intent, getString(R.string.intent_show));
|
||||
chooserIntent.putExtra(Intent.EXTRA_INITIAL_INTENTS,
|
||||
|
||||
Reference in New Issue
Block a user