mirrors
/
jgit
mirror of https://github.com/eclipse/jgit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 204 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8224 Commits
49 Branches
Tree: 64cbea8a97
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '64cbea8a97'
${ noResults }
jgit/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/BouncyCastleGpgKeyLocator.java

BouncyCastleGpgKeyLocator.java 22KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691 
  1. /*

  2.  * Copyright (C) 2018, 2021 Salesforce and others

  3.  *

  4.  * This program and the accompanying materials are made available under the

  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at

  6.  * https://www.eclipse.org/org/documents/edl-v10.php.

  7.  *

  8.  * SPDX-License-Identifier: BSD-3-Clause

  9.  */

  10. package org.eclipse.jgit.gpg.bc.internal;

  11. 

  12. import static java.nio.file.Files.exists;

  13. import static java.nio.file.Files.newInputStream;

  14. 

  15. import java.io.BufferedInputStream;

  16. import java.io.File;

  17. import java.io.FileNotFoundException;

  18. import java.io.IOException;

  19. import java.io.InputStream;

  20. import java.net.URISyntaxException;

  21. import java.nio.file.DirectoryStream;

  22. import java.nio.file.Files;

  23. import java.nio.file.InvalidPathException;

  24. import java.nio.file.NoSuchFileException;

  25. import java.nio.file.Path;

  26. import java.nio.file.Paths;

  27. import java.security.NoSuchAlgorithmException;

  28. import java.security.NoSuchProviderException;

  29. import java.text.MessageFormat;

  30. import java.util.Iterator;

  31. import java.util.Locale;

  32. 

  33. import org.bouncycastle.gpg.SExprParser;

  34. import org.bouncycastle.gpg.keybox.BlobType;

  35. import org.bouncycastle.gpg.keybox.KeyBlob;

  36. import org.bouncycastle.gpg.keybox.KeyBox;

  37. import org.bouncycastle.gpg.keybox.KeyInformation;

  38. import org.bouncycastle.gpg.keybox.PublicKeyRingBlob;

  39. import org.bouncycastle.gpg.keybox.UserID;

  40. import org.bouncycastle.gpg.keybox.jcajce.JcaKeyBoxBuilder;

  41. import org.bouncycastle.openpgp.PGPException;

  42. import org.bouncycastle.openpgp.PGPKeyFlags;

  43. import org.bouncycastle.openpgp.PGPPublicKey;

  44. import org.bouncycastle.openpgp.PGPPublicKeyRing;

  45. import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;

  46. import org.bouncycastle.openpgp.PGPSecretKey;

  47. import org.bouncycastle.openpgp.PGPSecretKeyRing;

  48. import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;

  49. import org.bouncycastle.openpgp.PGPSignature;

  50. import org.bouncycastle.openpgp.PGPUtil;

  51. import org.bouncycastle.openpgp.operator.PBEProtectionRemoverFactory;

  52. import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;

  53. import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;

  54. import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder;

  55. import org.bouncycastle.openpgp.operator.jcajce.JcePBEProtectionRemoverFactory;

  56. import org.bouncycastle.util.encoders.Hex;

  57. import org.eclipse.jgit.annotations.NonNull;

  58. import org.eclipse.jgit.api.errors.CanceledException;

  59. import org.eclipse.jgit.errors.UnsupportedCredentialItem;

  60. import org.eclipse.jgit.gpg.bc.internal.keys.KeyGrip;

  61. import org.eclipse.jgit.util.FS;

  62. import org.eclipse.jgit.util.StringUtils;

  63. import org.eclipse.jgit.util.SystemReader;

  64. import org.slf4j.Logger;

  65. import org.slf4j.LoggerFactory;

  66. 

  67. /**

  68.  * Locates GPG keys from either <code>~/.gnupg/private-keys-v1.d</code> or

  69.  * <code>~/.gnupg/secring.gpg</code>

  70.  */

  71. public class BouncyCastleGpgKeyLocator {

  72. 

  73. 	/** Thrown if a keybox file exists but doesn't contain an OpenPGP key. */

  74. 	private static class NoOpenPgpKeyException extends Exception {

  75. 

  76. 		private static final long serialVersionUID = 1L;

  77. 

  78. 	}

  79. 

  80. 	/** Thrown if we try to read an encrypted private key without password. */

  81. 	private static class EncryptedPgpKeyException extends RuntimeException {

  82. 

  83. 		private static final long serialVersionUID = 1L;

  84. 

  85. 	}

  86. 

  87. 	private static final Logger log = LoggerFactory

  88. 			.getLogger(BouncyCastleGpgKeyLocator.class);

  89. 

  90. 	private static final Path GPG_DIRECTORY = findGpgDirectory();

  91. 

  92. 	private static final Path USER_KEYBOX_PATH = GPG_DIRECTORY

  93. 			.resolve("pubring.kbx"); //$NON-NLS-1$

  94. 

  95. 	private static final Path USER_SECRET_KEY_DIR = GPG_DIRECTORY

  96. 			.resolve("private-keys-v1.d"); //$NON-NLS-1$

  97. 

  98. 	private static final Path USER_PGP_PUBRING_FILE = GPG_DIRECTORY

  99. 			.resolve("pubring.gpg"); //$NON-NLS-1$

  100. 

  101. 	private static final Path USER_PGP_LEGACY_SECRING_FILE = GPG_DIRECTORY

  102. 			.resolve("secring.gpg"); //$NON-NLS-1$

  103. 

  104. 	private final String signingKey;

  105. 

  106. 	private BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt;

  107. 

  108. 	private static Path findGpgDirectory() {

  109. 		SystemReader system = SystemReader.getInstance();

  110. 		if (system.isWindows()) {

  111. 			// On Windows prefer %APPDATA%\gnupg if it exists, even if Cygwin is

  112. 			// used.

  113. 			String appData = system.getenv("APPDATA"); //$NON-NLS-1$

  114. 			if (appData != null && !appData.isEmpty()) {

  115. 				try {

  116. 					Path directory = Paths.get(appData).resolve("gnupg"); //$NON-NLS-1$

  117. 					if (Files.isDirectory(directory)) {

  118. 						return directory;

  119. 					}

  120. 				} catch (SecurityException | InvalidPathException e) {

  121. 					// Ignore and return the default location below.

  122. 				}

  123. 			}

  124. 		}

  125. 		// All systems, including Cygwin and even Windows if

  126. 		// %APPDATA%\gnupg doesn't exist: ~/.gnupg

  127. 		File home = FS.DETECTED.userHome();

  128. 		if (home == null) {

  129. 			// Oops. What now?

  130. 			home = new File(".").getAbsoluteFile(); //$NON-NLS-1$

  131. 		}

  132. 		return home.toPath().resolve(".gnupg"); //$NON-NLS-1$

  133. 	}

  134. 

  135. 	/**

  136. 	 * Create a new key locator for the specified signing key.

  137. 	 * <p>

  138. 	 * The signing key must either be a hex representation of a specific key or

  139. 	 * a user identity substring (eg., email address). All keys in the KeyBox

  140. 	 * will be looked up in the order as returned by the KeyBox. A key id will

  141. 	 * be searched before attempting to find a key by user id.

  142. 	 * </p>

  143. 	 *

  144. 	 * @param signingKey

  145. 	 *            the signing key to search for

  146. 	 * @param passphrasePrompt

  147. 	 *            the provider to use when asking for key passphrase

  148. 	 */

  149. 	public BouncyCastleGpgKeyLocator(String signingKey,

  150. 			@NonNull BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt) {

  151. 		this.signingKey = signingKey;

  152. 		this.passphrasePrompt = passphrasePrompt;

  153. 	}

  154. 

  155. 	private PGPSecretKey attemptParseSecretKey(Path keyFile,

  156. 			PGPDigestCalculatorProvider calculatorProvider,

  157. 			PBEProtectionRemoverFactory passphraseProvider,

  158. 			PGPPublicKey publicKey) throws IOException, PGPException {

  159. 		try (InputStream in = newInputStream(keyFile)) {

  160. 			return new SExprParser(calculatorProvider).parseSecretKey(

  161. 					new BufferedInputStream(in), passphraseProvider, publicKey);

  162. 		}

  163. 	}

  164. 

  165. 	/**

  166. 	 * Checks whether a given OpenPGP {@code userId} matches a given

  167. 	 * {@code signingKeySpec}, which is supposed to have one of the formats

  168. 	 * defined by GPG.

  169. 	 * <p>

  170. 	 * Not all formats are supported; only formats starting with '=', '&lt;',

  171. 	 * '@', and '*' are handled. Any other format results in a case-insensitive

  172. 	 * substring match.

  173. 	 * </p>

  174. 	 *

  175. 	 * @param userId

  176. 	 *            of a key

  177. 	 * @param signingKeySpec

  178. 	 *            GPG key identification

  179. 	 * @return whether the {@code userId} matches

  180. 	 * @see <a href=

  181. 	 *      "https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html">GPG

  182. 	 *      Documentation: How to Specify a User ID</a>

  183. 	 */

  184. 	static boolean containsSigningKey(String userId, String signingKeySpec) {

  185. 		if (StringUtils.isEmptyOrNull(userId)

  186. 				|| StringUtils.isEmptyOrNull(signingKeySpec)) {

  187. 			return false;

  188. 		}

  189. 		String toMatch = signingKeySpec;

  190. 		if (toMatch.startsWith("0x") && toMatch.trim().length() > 2) { //$NON-NLS-1$

  191. 			return false; // Explicit fingerprint

  192. 		}

  193. 		int command = toMatch.charAt(0);

  194. 		switch (command) {

  195. 		case '=':

  196. 		case '<':

  197. 		case '@':

  198. 		case '*':

  199. 			toMatch = toMatch.substring(1);

  200. 			if (toMatch.isEmpty()) {

  201. 				return false;

  202. 			}

  203. 			break;

  204. 		default:

  205. 			break;

  206. 		}

  207. 		switch (command) {

  208. 		case '=':

  209. 			return userId.equals(toMatch);

  210. 		case '<': {

  211. 			int begin = userId.indexOf('<');

  212. 			int end = userId.indexOf('>', begin + 1);

  213. 			int stop = toMatch.indexOf('>');

  214. 			return begin >= 0 && end > begin + 1 && stop > 0

  215. 					&& userId.substring(begin + 1, end)

  216. 							.equalsIgnoreCase(toMatch.substring(0, stop));

  217. 		}

  218. 		case '@': {

  219. 			int begin = userId.indexOf('<');

  220. 			int end = userId.indexOf('>', begin + 1);

  221. 			return begin >= 0 && end > begin + 1

  222. 					&& containsIgnoreCase(userId.substring(begin + 1, end),

  223. 							toMatch);

  224. 		}

  225. 		default:

  226. 			if (toMatch.trim().isEmpty()) {

  227. 				return false;

  228. 			}

  229. 			return containsIgnoreCase(userId, toMatch);

  230. 		}

  231. 	}

  232. 

  233. 	private static boolean containsIgnoreCase(String a, String b) {

  234. 		int alength = a.length();

  235. 		int blength = b.length();

  236. 		for (int i = 0; i + blength <= alength; i++) {

  237. 			if (a.regionMatches(true, i, b, 0, blength)) {

  238. 				return true;

  239. 			}

  240. 		}

  241. 		return false;

  242. 	}

  243. 

  244. 	private static String toFingerprint(String keyId) {

  245. 		if (keyId.startsWith("0x")) { //$NON-NLS-1$

  246. 			return keyId.substring(2);

  247. 		}

  248. 		return keyId;

  249. 	}

  250. 

  251. 	static PGPPublicKey findPublicKey(String fingerprint, String keySpec)

  252. 			throws IOException, PGPException {

  253. 		PGPPublicKey result = findPublicKeyInPubring(USER_PGP_PUBRING_FILE,

  254. 				fingerprint, keySpec);

  255. 		if (result == null && exists(USER_KEYBOX_PATH)) {

  256. 			try {

  257. 				result = findPublicKeyInKeyBox(USER_KEYBOX_PATH, fingerprint,

  258. 						keySpec);

  259. 			} catch (NoSuchAlgorithmException | NoSuchProviderException

  260. 					| IOException | NoOpenPgpKeyException e) {

  261. 				log.error(e.getMessage(), e);

  262. 			}

  263. 		}

  264. 		return result;

  265. 	}

  266. 

  267. 	private static PGPPublicKey findPublicKeyByKeyId(KeyBlob keyBlob,

  268. 			String keyId)

  269. 			throws IOException {

  270. 		if (keyId.isEmpty()) {

  271. 			return null;

  272. 		}

  273. 		for (KeyInformation keyInfo : keyBlob.getKeyInformation()) {

  274. 			String fingerprint = Hex.toHexString(keyInfo.getFingerprint())

  275. 					.toLowerCase(Locale.ROOT);

  276. 			if (fingerprint.endsWith(keyId)) {

  277. 				return getPublicKey(keyBlob, keyInfo.getFingerprint());

  278. 			}

  279. 		}

  280. 		return null;

  281. 	}

  282. 

  283. 	private static PGPPublicKey findPublicKeyByUserId(KeyBlob keyBlob,

  284. 			String keySpec)

  285. 			throws IOException {

  286. 		for (UserID userID : keyBlob.getUserIds()) {

  287. 			if (containsSigningKey(userID.getUserIDAsString(), keySpec)) {

  288. 				return getSigningPublicKey(keyBlob);

  289. 			}

  290. 		}

  291. 		return null;

  292. 	}

  293. 

  294. 	/**

  295. 	 * Finds a public key associated with the signing key.

  296. 	 *

  297. 	 * @param keyboxFile

  298. 	 *            the KeyBox file

  299. 	 * @param keyId

  300. 	 *            to look for, may be null

  301. 	 * @param keySpec

  302. 	 *            to look for

  303. 	 * @return publicKey the public key (maybe <code>null</code>)

  304. 	 * @throws IOException

  305. 	 *             in case of problems reading the file

  306. 	 * @throws NoSuchAlgorithmException

  307. 	 * @throws NoSuchProviderException

  308. 	 * @throws NoOpenPgpKeyException

  309. 	 *             if the file does not contain any OpenPGP key

  310. 	 */

  311. 	private static PGPPublicKey findPublicKeyInKeyBox(Path keyboxFile,

  312. 			String keyId, String keySpec)

  313. 			throws IOException, NoSuchAlgorithmException,

  314. 			NoSuchProviderException, NoOpenPgpKeyException {

  315. 		KeyBox keyBox = readKeyBoxFile(keyboxFile);

  316. 		String id = keyId != null ? keyId

  317. 				: toFingerprint(keySpec).toLowerCase(Locale.ROOT);

  318. 		boolean hasOpenPgpKey = false;

  319. 		for (KeyBlob keyBlob : keyBox.getKeyBlobs()) {

  320. 			if (keyBlob.getType() == BlobType.OPEN_PGP_BLOB) {

  321. 				hasOpenPgpKey = true;

  322. 				PGPPublicKey key = findPublicKeyByKeyId(keyBlob, id);

  323. 				if (key != null) {

  324. 					return key;

  325. 				}

  326. 				key = findPublicKeyByUserId(keyBlob, keySpec);

  327. 				if (key != null) {

  328. 					return key;

  329. 				}

  330. 			}

  331. 		}

  332. 		if (!hasOpenPgpKey) {

  333. 			throw new NoOpenPgpKeyException();

  334. 		}

  335. 		return null;

  336. 	}

  337. 

  338. 	/**

  339. 	 * If there is a private key directory containing keys, use pubring.kbx or

  340. 	 * pubring.gpg to find the public key; then try to find the secret key in

  341. 	 * the directory.

  342. 	 * <p>

  343. 	 * If there is no private key directory (or it doesn't contain any keys),

  344. 	 * try to find the key in secring.gpg directly.

  345. 	 * </p>

  346. 	 *

  347. 	 * @return the secret key

  348. 	 * @throws IOException

  349. 	 *             in case of issues reading key files

  350. 	 * @throws NoSuchAlgorithmException

  351. 	 * @throws NoSuchProviderException

  352. 	 * @throws PGPException

  353. 	 *             in case of issues finding a key, including no key found

  354. 	 * @throws CanceledException

  355. 	 * @throws URISyntaxException

  356. 	 * @throws UnsupportedCredentialItem

  357. 	 */

  358. 	@NonNull

  359. 	public BouncyCastleGpgKey findSecretKey() throws IOException,

  360. 			NoSuchAlgorithmException, NoSuchProviderException, PGPException,

  361. 			CanceledException, UnsupportedCredentialItem, URISyntaxException {

  362. 		BouncyCastleGpgKey key;

  363. 		PGPPublicKey publicKey = null;

  364. 		if (hasKeyFiles(USER_SECRET_KEY_DIR)) {

  365. 			// Use pubring.kbx or pubring.gpg to find the public key, then try

  366. 			// the key files in the directory. If the public key was found in

  367. 			// pubring.gpg also try secring.gpg to find the secret key.

  368. 			if (exists(USER_KEYBOX_PATH)) {

  369. 				try {

  370. 					publicKey = findPublicKeyInKeyBox(USER_KEYBOX_PATH, null,

  371. 							signingKey);

  372. 					if (publicKey != null) {

  373. 						key = findSecretKeyForKeyBoxPublicKey(publicKey,

  374. 								USER_KEYBOX_PATH);

  375. 						if (key != null) {

  376. 							return key;

  377. 						}

  378. 						throw new PGPException(MessageFormat.format(

  379. 								BCText.get().gpgNoSecretKeyForPublicKey,

  380. 								Long.toHexString(publicKey.getKeyID())));

  381. 					}

  382. 					throw new PGPException(MessageFormat.format(

  383. 							BCText.get().gpgNoPublicKeyFound, signingKey));

  384. 				} catch (NoOpenPgpKeyException e) {

  385. 					// There are no OpenPGP keys in the keybox at all: try the

  386. 					// pubring.gpg, if it exists.

  387. 					if (log.isDebugEnabled()) {

  388. 						log.debug("{} does not contain any OpenPGP keys", //$NON-NLS-1$

  389. 								USER_KEYBOX_PATH);

  390. 					}

  391. 				}

  392. 			}

  393. 			if (exists(USER_PGP_PUBRING_FILE)) {

  394. 				publicKey = findPublicKeyInPubring(USER_PGP_PUBRING_FILE, null,

  395. 						signingKey);

  396. 				if (publicKey != null) {

  397. 					// GPG < 2.1 may have both; the agent using the directory

  398. 					// and gpg using secring.gpg. GPG >= 2.1 delegates all

  399. 					// secret key handling to the agent and doesn't use

  400. 					// secring.gpg at all, even if it exists. Which means for us

  401. 					// we have to try both since we don't know which GPG version

  402. 					// the user has.

  403. 					key = findSecretKeyForKeyBoxPublicKey(publicKey,

  404. 							USER_PGP_PUBRING_FILE);

  405. 					if (key != null) {

  406. 						return key;

  407. 					}

  408. 				}

  409. 			}

  410. 			if (publicKey == null) {

  411. 				throw new PGPException(MessageFormat.format(

  412. 						BCText.get().gpgNoPublicKeyFound, signingKey));

  413. 			}

  414. 			// We found a public key, but didn't find the secret key in the

  415. 			// private key directory. Go try the secring.gpg.

  416. 		}

  417. 		boolean hasSecring = false;

  418. 		if (exists(USER_PGP_LEGACY_SECRING_FILE)) {

  419. 			hasSecring = true;

  420. 			key = loadKeyFromSecring(USER_PGP_LEGACY_SECRING_FILE);

  421. 			if (key != null) {

  422. 				return key;

  423. 			}

  424. 		}

  425. 		if (publicKey != null) {

  426. 			throw new PGPException(MessageFormat.format(

  427. 					BCText.get().gpgNoSecretKeyForPublicKey,

  428. 					Long.toHexString(publicKey.getKeyID())));

  429. 		} else if (hasSecring) {

  430. 			// publicKey == null: user has _only_ pubring.gpg/secring.gpg.

  431. 			throw new PGPException(MessageFormat.format(

  432. 					BCText.get().gpgNoKeyInLegacySecring, signingKey));

  433. 		} else {

  434. 			throw new PGPException(BCText.get().gpgNoKeyring);

  435. 		}

  436. 	}

  437. 

  438. 	private boolean hasKeyFiles(Path dir) {

  439. 		try (DirectoryStream<Path> contents = Files.newDirectoryStream(dir,

  440. 				"*.key")) { //$NON-NLS-1$

  441. 			return contents.iterator().hasNext();

  442. 		} catch (IOException e) {

  443. 			// Not a directory, or something else

  444. 			return false;

  445. 		}

  446. 	}

  447. 

  448. 	private BouncyCastleGpgKey loadKeyFromSecring(Path secring)

  449. 			throws IOException, PGPException {

  450. 		PGPSecretKey secretKey = findSecretKeyInLegacySecring(signingKey,

  451. 				secring);

  452. 

  453. 		if (secretKey != null) {

  454. 			if (!secretKey.isSigningKey()) {

  455. 				throw new PGPException(MessageFormat

  456. 						.format(BCText.get().gpgNotASigningKey, signingKey));

  457. 			}

  458. 			return new BouncyCastleGpgKey(secretKey, secring);

  459. 		}

  460. 		return null;

  461. 	}

  462. 

  463. 	private BouncyCastleGpgKey findSecretKeyForKeyBoxPublicKey(

  464. 			PGPPublicKey publicKey, Path userKeyboxPath)

  465. 			throws PGPException, CanceledException, UnsupportedCredentialItem,

  466. 			URISyntaxException {

  467. 		byte[] keyGrip = null;

  468. 		try {

  469. 			keyGrip = KeyGrip.getKeyGrip(publicKey);

  470. 		} catch (PGPException e) {

  471. 			throw new PGPException(

  472. 					MessageFormat.format(BCText.get().gpgNoKeygrip,

  473. 							Hex.toHexString(publicKey.getFingerprint())),

  474. 					e);

  475. 		}

  476. 		String filename = Hex.toHexString(keyGrip).toUpperCase(Locale.ROOT)

  477. 				+ ".key"; //$NON-NLS-1$

  478. 		Path keyFile = USER_SECRET_KEY_DIR.resolve(filename);

  479. 		if (!Files.exists(keyFile)) {

  480. 			return null;

  481. 		}

  482. 		boolean clearPrompt = false;

  483. 		try {

  484. 			PGPDigestCalculatorProvider calculatorProvider = new JcaPGPDigestCalculatorProviderBuilder()

  485. 					.build();

  486. 			PBEProtectionRemoverFactory passphraseProvider = p -> {

  487. 				throw new EncryptedPgpKeyException();

  488. 			};

  489. 			PGPSecretKey secretKey = null;

  490. 			try {

  491. 				// Try without passphrase

  492. 				secretKey = attemptParseSecretKey(keyFile, calculatorProvider,

  493. 						passphraseProvider, publicKey);

  494. 			} catch (EncryptedPgpKeyException e) {

  495. 				// Let's try again with a passphrase

  496. 				passphraseProvider = new JcePBEProtectionRemoverFactory(

  497. 						passphrasePrompt.getPassphrase(

  498. 								publicKey.getFingerprint(), userKeyboxPath));

  499. 				clearPrompt = true;

  500. 				try {

  501. 					secretKey = attemptParseSecretKey(keyFile, calculatorProvider,

  502. 							passphraseProvider, publicKey);

  503. 				} catch (PGPException e1) {

  504. 					throw new PGPException(MessageFormat.format(

  505. 							BCText.get().gpgFailedToParseSecretKey,

  506. 							keyFile.toAbsolutePath()), e);

  507. 

  508. 				}

  509. 			}

  510. 			if (secretKey != null) {

  511. 				if (!secretKey.isSigningKey()) {

  512. 					throw new PGPException(MessageFormat.format(

  513. 							BCText.get().gpgNotASigningKey, signingKey));

  514. 				}

  515. 				clearPrompt = false;

  516. 				return new BouncyCastleGpgKey(secretKey, userKeyboxPath);

  517. 			}

  518. 			return null;

  519. 		} catch (RuntimeException e) {

  520. 			throw e;

  521. 		} catch (FileNotFoundException | NoSuchFileException e) {

  522. 			clearPrompt = false;

  523. 			return null;

  524. 		} catch (IOException e) {

  525. 			throw new PGPException(MessageFormat.format(

  526. 					BCText.get().gpgFailedToParseSecretKey,

  527. 					keyFile.toAbsolutePath()), e);

  528. 		} finally {

  529. 			if (clearPrompt) {

  530. 				passphrasePrompt.clear();

  531. 			}

  532. 		}

  533. 	}

  534. 

  535. 	/**

  536. 	 * Return the first suitable key for signing in the key ring collection. For

  537. 	 * this case we only expect there to be one key available for signing.

  538. 	 * </p>

  539. 	 *

  540. 	 * @param signingkey

  541. 	 * @param secringFile

  542. 	 *

  543. 	 * @return the first suitable PGP secret key found for signing

  544. 	 * @throws IOException

  545. 	 *             on I/O related errors

  546. 	 * @throws PGPException

  547. 	 *             on BouncyCastle errors

  548. 	 */

  549. 	private PGPSecretKey findSecretKeyInLegacySecring(String signingkey,

  550. 			Path secringFile) throws IOException, PGPException {

  551. 

  552. 		try (InputStream in = newInputStream(secringFile)) {

  553. 			PGPSecretKeyRingCollection pgpSec = new PGPSecretKeyRingCollection(

  554. 					PGPUtil.getDecoderStream(new BufferedInputStream(in)),

  555. 					new JcaKeyFingerprintCalculator());

  556. 

  557. 			String keyId = toFingerprint(signingkey).toLowerCase(Locale.ROOT);

  558. 			Iterator<PGPSecretKeyRing> keyrings = pgpSec.getKeyRings();

  559. 			while (keyrings.hasNext()) {

  560. 				PGPSecretKeyRing keyRing = keyrings.next();

  561. 				Iterator<PGPSecretKey> keys = keyRing.getSecretKeys();

  562. 				while (keys.hasNext()) {

  563. 					PGPSecretKey key = keys.next();

  564. 					// try key id

  565. 					String fingerprint = Hex

  566. 							.toHexString(key.getPublicKey().getFingerprint())

  567. 							.toLowerCase(Locale.ROOT);

  568. 					if (fingerprint.endsWith(keyId)) {

  569. 						return key;

  570. 					}

  571. 					// try user id

  572. 					Iterator<String> userIDs = key.getUserIDs();

  573. 					while (userIDs.hasNext()) {

  574. 						String userId = userIDs.next();

  575. 						if (containsSigningKey(userId, signingKey)) {

  576. 							return key;

  577. 						}

  578. 					}

  579. 				}

  580. 			}

  581. 		}

  582. 		return null;

  583. 	}

  584. 

  585. 	/**

  586. 	 * Return the first public key matching the key id ({@link #signingKey}.

  587. 	 *

  588. 	 * @param pubringFile

  589. 	 *            to search

  590. 	 * @param keyId

  591. 	 *            to look for, may be null

  592. 	 * @param keySpec

  593. 	 *            to look for

  594. 	 *

  595. 	 * @return the PGP public key, or {@code null} if none found

  596. 	 * @throws IOException

  597. 	 *             on I/O related errors

  598. 	 * @throws PGPException

  599. 	 *             on BouncyCastle errors

  600. 	 */

  601. 	private static PGPPublicKey findPublicKeyInPubring(Path pubringFile,

  602. 			String keyId, String keySpec)

  603. 			throws IOException, PGPException {

  604. 		try (InputStream in = newInputStream(pubringFile)) {

  605. 			PGPPublicKeyRingCollection pgpPub = new PGPPublicKeyRingCollection(

  606. 					new BufferedInputStream(in),

  607. 					new JcaKeyFingerprintCalculator());

  608. 

  609. 			String id = keyId != null ? keyId

  610. 					: toFingerprint(keySpec).toLowerCase(Locale.ROOT);

  611. 			Iterator<PGPPublicKeyRing> keyrings = pgpPub.getKeyRings();

  612. 			while (keyrings.hasNext()) {

  613. 				PGPPublicKeyRing keyRing = keyrings.next();

  614. 				Iterator<PGPPublicKey> keys = keyRing.getPublicKeys();

  615. 				while (keys.hasNext()) {

  616. 					PGPPublicKey key = keys.next();

  617. 					// try key id

  618. 					String fingerprint = Hex.toHexString(key.getFingerprint())

  619. 							.toLowerCase(Locale.ROOT);

  620. 					if (fingerprint.endsWith(id)) {

  621. 						return key;

  622. 					}

  623. 					// try user id

  624. 					Iterator<String> userIDs = key.getUserIDs();

  625. 					while (userIDs.hasNext()) {

  626. 						String userId = userIDs.next();

  627. 						if (containsSigningKey(userId, keySpec)) {

  628. 							return key;

  629. 						}

  630. 					}

  631. 				}

  632. 			}

  633. 		} catch (FileNotFoundException | NoSuchFileException e) {

  634. 			// Ignore and return null

  635. 		}

  636. 		return null;

  637. 	}

  638. 

  639. 	private static PGPPublicKey getPublicKey(KeyBlob blob, byte[] fingerprint)

  640. 			throws IOException {

  641. 		return ((PublicKeyRingBlob) blob).getPGPPublicKeyRing()

  642. 				.getPublicKey(fingerprint);

  643. 	}

  644. 

  645. 	private static PGPPublicKey getSigningPublicKey(KeyBlob blob)

  646. 			throws IOException {

  647. 		PGPPublicKey masterKey = null;

  648. 		Iterator<PGPPublicKey> keys = ((PublicKeyRingBlob) blob)

  649. 				.getPGPPublicKeyRing().getPublicKeys();

  650. 		while (keys.hasNext()) {

  651. 			PGPPublicKey key = keys.next();

  652. 			// only consider keys that have the [S] usage flag set

  653. 			if (isSigningKey(key)) {

  654. 				if (key.isMasterKey()) {

  655. 					masterKey = key;

  656. 				} else {

  657. 					return key;

  658. 				}

  659. 			}

  660. 		}

  661. 		// return the master key if no other signing key was found or null if

  662. 		// the master key did not have the signing flag set

  663. 		return masterKey;

  664. 	}

  665. 

  666. 	private static boolean isSigningKey(PGPPublicKey key) {

  667. 		Iterator signatures = key.getSignatures();

  668. 		while (signatures.hasNext()) {

  669. 			PGPSignature sig = (PGPSignature) signatures.next();

  670. 			if ((sig.getHashedSubPackets().getKeyFlags()

  671. 					& PGPKeyFlags.CAN_SIGN) > 0) {

  672. 				return true;

  673. 			}

  674. 		}

  675. 		return false;

  676. 	}

  677. 

  678. 	private static KeyBox readKeyBoxFile(Path keyboxFile) throws IOException,

  679. 			NoSuchAlgorithmException, NoSuchProviderException,

  680. 			NoOpenPgpKeyException {

  681. 		if (keyboxFile.toFile().length() == 0) {

  682. 			throw new NoOpenPgpKeyException();

  683. 		}

  684. 		KeyBox keyBox;

  685. 		try (InputStream in = new BufferedInputStream(

  686. 				newInputStream(keyboxFile))) {

  687. 			keyBox = new JcaKeyBoxBuilder().build(in);

  688. 		}

  689. 		return keyBox;

  690. 	}

  691. }