Provide a custom `SignatureValidationStrategy`

bjansen commented 3 years ago

I have a use case where I need to check that decrypted data has been signed by any of two given keys. The current API RequireSpecificSignatureValidationStrategy supports an "AND" verification, but I need an "OR" verification.

I think it would be nice if users had the possibility to provide their own instance of SignatureValidationStrategy. This way they can use custom strategies without having to submit PRs here and wait for a release.

Maybe a new method named andValidateSignatureMatches(SignatureValidationStrategy) in name.neuhalfen.projects.crypto.bouncycastle.openpgp.BuildDecryptionInputStreamAPI.Validation:

BouncyGPG
    .decryptAndVerifyStream()
    .withConfig(...)
    .andValidateSignatureMatches(mySignatureValidationStrategy)
    .fromEncryptedInputStream(cipherTextStream);

bjansen commented 3 years ago

Well I guess I can bypass the builder API and use this instead:

DecryptionStreamFactory.create(
    getKeyringConfig(),
    myStrategy
).wrapWithDecryptAndVerify(cipherTextStream)

Is it safe to use DecryptionStreamFactory directly? Is there a chance this API will change or be removed in the future?

Sauhardstark commented 3 years ago

I think your point on being able to specify a custom SignatureValidationStrategy is nice and should be further discussed with the author. In the interim however, you might be able to take care of the issue by using the below function (if the two keys are present in the decryption key ring)

andValidateSomeoneSigned

But it would only validate that one of the keys in the keyring signed this message (not a particular subset) So, something like

BouncyGPG
    .decryptAndVerifyStream()
    .withConfig(...)
    .andValidateSomeoneSigned(mySignatureValidationStrategy)
    .fromEncryptedInputStream(cipherTextStream);

neuhalje / bouncy-gpg

Provide a custom `SignatureValidationStrategy` #62