mirrors
/
jgit
mirror of https://github.com/eclipse/jgit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 204 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7860 Commits
49 Branches
Tree: 4d7a16257f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4d7a16257f'
${ noResults }
jgit/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgSigner.java

BouncyCastleGpgSigner.java 5.3KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138 
  1. /*

  2.  * Copyright (C) 2018, Salesforce. and others

  3.  *

  4.  * This program and the accompanying materials are made available under the

  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at

  6.  * https://www.eclipse.org/org/documents/edl-v10.php.

  7.  *

  8.  * SPDX-License-Identifier: BSD-3-Clause

  9.  */

  10. package org.eclipse.jgit.lib.internal;

  11. 

  12. import java.io.ByteArrayOutputStream;

  13. import java.io.IOException;

  14. import java.net.URISyntaxException;

  15. import java.security.NoSuchAlgorithmException;

  16. import java.security.NoSuchProviderException;

  17. import java.security.Security;

  18. 

  19. import org.bouncycastle.bcpg.ArmoredOutputStream;

  20. import org.bouncycastle.bcpg.BCPGOutputStream;

  21. import org.bouncycastle.bcpg.HashAlgorithmTags;

  22. import org.bouncycastle.jce.provider.BouncyCastleProvider;

  23. import org.bouncycastle.openpgp.PGPException;

  24. import org.bouncycastle.openpgp.PGPPrivateKey;

  25. import org.bouncycastle.openpgp.PGPSecretKey;

  26. import org.bouncycastle.openpgp.PGPSignature;

  27. import org.bouncycastle.openpgp.PGPSignatureGenerator;

  28. import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;

  29. import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;

  30. import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;

  31. import org.eclipse.jgit.annotations.NonNull;

  32. import org.eclipse.jgit.annotations.Nullable;

  33. import org.eclipse.jgit.api.errors.CanceledException;

  34. import org.eclipse.jgit.api.errors.JGitInternalException;

  35. import org.eclipse.jgit.errors.UnsupportedCredentialItem;

  36. import org.eclipse.jgit.internal.JGitText;

  37. import org.eclipse.jgit.lib.CommitBuilder;

  38. import org.eclipse.jgit.lib.GpgSignature;

  39. import org.eclipse.jgit.lib.GpgSigner;

  40. import org.eclipse.jgit.lib.PersonIdent;

  41. import org.eclipse.jgit.transport.CredentialsProvider;

  42. 

  43. /**

  44.  * GPG Signer using BouncyCastle library

  45.  */

  46. public class BouncyCastleGpgSigner extends GpgSigner {

  47. 

  48. 	private static void registerBouncyCastleProviderIfNecessary() {

  49. 		if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {

  50. 			Security.addProvider(new BouncyCastleProvider());

  51. 		}

  52. 	}

  53. 

  54. 	/**

  55. 	 * Create a new instance.

  56. 	 * <p>

  57. 	 * The BounceCastleProvider will be registered if necessary.

  58. 	 * </p>

  59. 	 */

  60. 	public BouncyCastleGpgSigner() {

  61. 		registerBouncyCastleProviderIfNecessary();

  62. 	}

  63. 

  64. 	@Override

  65. 	public boolean canLocateSigningKey(@Nullable String gpgSigningKey,

  66. 			PersonIdent committer, CredentialsProvider credentialsProvider)

  67. 			throws CanceledException {

  68. 		try (BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt = new BouncyCastleGpgKeyPassphrasePrompt(

  69. 				credentialsProvider)) {

  70. 			BouncyCastleGpgKey gpgKey = locateSigningKey(gpgSigningKey,

  71. 					committer, passphrasePrompt);

  72. 			return gpgKey != null;

  73. 		} catch (PGPException | IOException | NoSuchAlgorithmException

  74. 				| NoSuchProviderException | URISyntaxException e) {

  75. 			return false;

  76. 		}

  77. 	}

  78. 

  79. 	private BouncyCastleGpgKey locateSigningKey(@Nullable String gpgSigningKey,

  80. 			PersonIdent committer,

  81. 			BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt)

  82. 			throws CanceledException, UnsupportedCredentialItem, IOException,

  83. 			NoSuchAlgorithmException, NoSuchProviderException, PGPException,

  84. 			URISyntaxException {

  85. 		if (gpgSigningKey == null || gpgSigningKey.isEmpty()) {

  86. 			gpgSigningKey = '<' + committer.getEmailAddress() + '>';

  87. 		}

  88. 

  89. 		BouncyCastleGpgKeyLocator keyHelper = new BouncyCastleGpgKeyLocator(

  90. 				gpgSigningKey, passphrasePrompt);

  91. 

  92. 		return keyHelper.findSecretKey();

  93. 	}

  94. 

  95. 	@Override

  96. 	public void sign(@NonNull CommitBuilder commit,

  97. 			@Nullable String gpgSigningKey, @NonNull PersonIdent committer,

  98. 			CredentialsProvider credentialsProvider) throws CanceledException {

  99. 		try (BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt = new BouncyCastleGpgKeyPassphrasePrompt(

  100. 				credentialsProvider)) {

  101. 			BouncyCastleGpgKey gpgKey = locateSigningKey(gpgSigningKey,

  102. 					committer, passphrasePrompt);

  103. 			PGPSecretKey secretKey = gpgKey.getSecretKey();

  104. 			if (secretKey == null) {

  105. 				throw new JGitInternalException(

  106. 						JGitText.get().unableToSignCommitNoSecretKey);

  107. 			}

  108. 			char[] passphrase = passphrasePrompt.getPassphrase(

  109. 					secretKey.getPublicKey().getFingerprint(),

  110. 					gpgKey.getOrigin());

  111. 			PGPPrivateKey privateKey = secretKey

  112. 					.extractPrivateKey(new JcePBESecretKeyDecryptorBuilder()

  113. 							.setProvider(BouncyCastleProvider.PROVIDER_NAME)

  114. 							.build(passphrase));

  115. 			PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(

  116. 					new JcaPGPContentSignerBuilder(

  117. 							secretKey.getPublicKey().getAlgorithm(),

  118. 							HashAlgorithmTags.SHA256).setProvider(

  119. 									BouncyCastleProvider.PROVIDER_NAME));

  120. 			signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey);

  121. 			PGPSignatureSubpacketGenerator subpacketGenerator = new PGPSignatureSubpacketGenerator();

  122. 			subpacketGenerator.setIssuerFingerprint(false,

  123. 					secretKey.getPublicKey());

  124. 			signatureGenerator

  125. 					.setHashedSubpackets(subpacketGenerator.generate());

  126. 			ByteArrayOutputStream buffer = new ByteArrayOutputStream();

  127. 			try (BCPGOutputStream out = new BCPGOutputStream(

  128. 					new ArmoredOutputStream(buffer))) {

  129. 				signatureGenerator.update(commit.build());

  130. 				signatureGenerator.generate().encode(out);

  131. 			}

  132. 			commit.setGpgSignature(new GpgSignature(buffer.toByteArray()));

  133. 		} catch (PGPException | IOException | NoSuchAlgorithmException

  134. 				| NoSuchProviderException | URISyntaxException e) {

  135. 			throw new JGitInternalException(e.getMessage(), e);

  136. 		}

  137. 	}

  138. }