Added option to check S/MIME key usage on sending

2026-04-17 14:33:32 +02:00 · 2024-12-09 08:02:52 +01:00
parent 01ee00fceb
commit bb8676b6e0
4 changed files with 53 additions and 4 deletions
--- a/app/src/main/java/eu/faircode/email/FragmentCompose.java
+++ b/app/src/main/java/eu/faircode/email/FragmentCompose.java
@@ -4388,6 +4388,7 @@ public class FragmentCompose extends FragmentBase {

                SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
                boolean check_certificate = prefs.getBoolean("check_certificate", true);
+                boolean check_key_usage = prefs.getBoolean("check_key_usage", false);

                File tmp = Helper.ensureExists(context, "encryption");

@@ -4455,8 +4456,30 @@ public class FragmentCompose extends FragmentBase {
                    // Check public key validity
                    try {
                        chain[0].checkValidity();
-                        // TODO: check digitalSignature/nonRepudiation key usage
-                        // https://datatracker.ietf.org/doc/html/rfc3850#section-4.4.2
+
+                        if (check_key_usage) {
+                            // Signing Key: Key Usage: Digital Signature, Non-Repudiation
+                            // Encrypting Key: Key Usage: Key Encipherment, Data Encipherment
+
+                            boolean[] usage = chain[0].getKeyUsage();
+                            if (usage != null && usage.length > 3) {
+                                // https://datatracker.ietf.org/doc/html/rfc3280#section-4.2.1.3
+                                // https://datatracker.ietf.org/doc/html/rfc3850#section-4.4.2
+                                boolean digitalSignature = usage[0];
+                                boolean keyEncipherment = usage[2];
+
+                                if (EntityMessage.SMIME_SIGNONLY.equals(type)) {
+                                    if (!digitalSignature)
+                                        throw new IllegalAccessException("Invalid key usage:" +
+                                                " digitalSignature=" + digitalSignature);
+                                } else if (EntityMessage.SMIME_SIGNENCRYPT.equals(type)) {
+                                    if (!digitalSignature || !keyEncipherment)
+                                        throw new IllegalAccessException("Invalid key usage:" +
+                                                " digitalSignature=" + digitalSignature +
+                                                " keyEncipherment=" + keyEncipherment);
+                                }
+                            }
+                        }
                    } catch (CertificateException ex) {
                        String msg = ex.getMessage();
                        throw new IllegalArgumentException(