mirrors
/
jgit
kopie van https://github.com/eclipse/jgit.git
Volgen 1
Ster 0
Vork 0
Code Kwesties 0 Publicaties 204 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8214 Commits
49 Branches
Tree: 6d462e5fe9
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '6d462e5fe9'
${ noResults }
jgit/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/BouncyCastleGpgSigner.java

BouncyCastleGpgSigner.java 8.2KB
Ruw Blame Geschiedenis

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223 
  1. /*

  2.  * Copyright (C) 2018, 2020, Salesforce and others

  3.  *

  4.  * This program and the accompanying materials are made available under the

  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at

  6.  * https://www.eclipse.org/org/documents/edl-v10.php.

  7.  *

  8.  * SPDX-License-Identifier: BSD-3-Clause

  9.  */

  10. package org.eclipse.jgit.gpg.bc.internal;

  11. 

  12. import java.io.ByteArrayOutputStream;

  13. import java.io.IOException;

  14. import java.net.URISyntaxException;

  15. import java.security.NoSuchAlgorithmException;

  16. import java.security.NoSuchProviderException;

  17. import java.security.Security;

  18. import java.util.Iterator;

  19. 

  20. import org.bouncycastle.bcpg.ArmoredOutputStream;

  21. import org.bouncycastle.bcpg.BCPGOutputStream;

  22. import org.bouncycastle.bcpg.HashAlgorithmTags;

  23. import org.bouncycastle.jce.provider.BouncyCastleProvider;

  24. import org.bouncycastle.openpgp.PGPException;

  25. import org.bouncycastle.openpgp.PGPPrivateKey;

  26. import org.bouncycastle.openpgp.PGPPublicKey;

  27. import org.bouncycastle.openpgp.PGPSecretKey;

  28. import org.bouncycastle.openpgp.PGPSignature;

  29. import org.bouncycastle.openpgp.PGPSignatureGenerator;

  30. import org.bouncycastle.openpgp.PGPSignatureSubpacketGenerator;

  31. import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;

  32. import org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;

  33. import org.eclipse.jgit.annotations.NonNull;

  34. import org.eclipse.jgit.annotations.Nullable;

  35. import org.eclipse.jgit.api.errors.CanceledException;

  36. import org.eclipse.jgit.api.errors.JGitInternalException;

  37. import org.eclipse.jgit.api.errors.UnsupportedSigningFormatException;

  38. import org.eclipse.jgit.errors.UnsupportedCredentialItem;

  39. import org.eclipse.jgit.internal.JGitText;

  40. import org.eclipse.jgit.lib.CommitBuilder;

  41. import org.eclipse.jgit.lib.GpgConfig;

  42. import org.eclipse.jgit.lib.GpgSignature;

  43. import org.eclipse.jgit.lib.GpgSigner;

  44. import org.eclipse.jgit.lib.GpgObjectSigner;

  45. import org.eclipse.jgit.lib.ObjectBuilder;

  46. import org.eclipse.jgit.lib.PersonIdent;

  47. import org.eclipse.jgit.lib.GpgConfig.GpgFormat;

  48. import org.eclipse.jgit.transport.CredentialsProvider;

  49. import org.eclipse.jgit.util.StringUtils;

  50. 

  51. /**

  52.  * GPG Signer using BouncyCastle library

  53.  */

  54. public class BouncyCastleGpgSigner extends GpgSigner

  55. 		implements GpgObjectSigner {

  56. 

  57. 	private static void registerBouncyCastleProviderIfNecessary() {

  58. 		if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {

  59. 			Security.addProvider(new BouncyCastleProvider());

  60. 		}

  61. 	}

  62. 

  63. 	/**

  64. 	 * Create a new instance.

  65. 	 * <p>

  66. 	 * The BounceCastleProvider will be registered if necessary.

  67. 	 * </p>

  68. 	 */

  69. 	public BouncyCastleGpgSigner() {

  70. 		registerBouncyCastleProviderIfNecessary();

  71. 	}

  72. 

  73. 	@Override

  74. 	public boolean canLocateSigningKey(@Nullable String gpgSigningKey,

  75. 			PersonIdent committer, CredentialsProvider credentialsProvider)

  76. 			throws CanceledException {

  77. 		try {

  78. 			return canLocateSigningKey(gpgSigningKey, committer,

  79. 					credentialsProvider, null);

  80. 		} catch (UnsupportedSigningFormatException e) {

  81. 			// Cannot occur with a null config

  82. 			return false;

  83. 		}

  84. 	}

  85. 

  86. 	@Override

  87. 	public boolean canLocateSigningKey(@Nullable String gpgSigningKey,

  88. 			PersonIdent committer, CredentialsProvider credentialsProvider,

  89. 			GpgConfig config)

  90. 			throws CanceledException, UnsupportedSigningFormatException {

  91. 		if (config != null && config.getKeyFormat() != GpgFormat.OPENPGP) {

  92. 			throw new UnsupportedSigningFormatException(

  93. 					JGitText.get().onlyOpenPgpSupportedForSigning);

  94. 		}

  95. 		try (BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt = new BouncyCastleGpgKeyPassphrasePrompt(

  96. 				credentialsProvider)) {

  97. 			BouncyCastleGpgKey gpgKey = locateSigningKey(gpgSigningKey,

  98. 					committer, passphrasePrompt);

  99. 			return gpgKey != null;

  100. 		} catch (PGPException | IOException | NoSuchAlgorithmException

  101. 				| NoSuchProviderException | URISyntaxException e) {

  102. 			return false;

  103. 		}

  104. 	}

  105. 

  106. 	private BouncyCastleGpgKey locateSigningKey(@Nullable String gpgSigningKey,

  107. 			PersonIdent committer,

  108. 			BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt)

  109. 			throws CanceledException, UnsupportedCredentialItem, IOException,

  110. 			NoSuchAlgorithmException, NoSuchProviderException, PGPException,

  111. 			URISyntaxException {

  112. 		if (gpgSigningKey == null || gpgSigningKey.isEmpty()) {

  113. 			gpgSigningKey = '<' + committer.getEmailAddress() + '>';

  114. 		}

  115. 

  116. 		BouncyCastleGpgKeyLocator keyHelper = new BouncyCastleGpgKeyLocator(

  117. 				gpgSigningKey, passphrasePrompt);

  118. 

  119. 		return keyHelper.findSecretKey();

  120. 	}

  121. 

  122. 	@Override

  123. 	public void sign(@NonNull CommitBuilder commit,

  124. 			@Nullable String gpgSigningKey, @NonNull PersonIdent committer,

  125. 			CredentialsProvider credentialsProvider) throws CanceledException {

  126. 		try {

  127. 			signObject(commit, gpgSigningKey, committer, credentialsProvider,

  128. 					null);

  129. 		} catch (UnsupportedSigningFormatException e) {

  130. 			// Cannot occur with a null config

  131. 		}

  132. 	}

  133. 

  134. 	@Override

  135. 	public void signObject(@NonNull ObjectBuilder object,

  136. 			@Nullable String gpgSigningKey, @NonNull PersonIdent committer,

  137. 			CredentialsProvider credentialsProvider, GpgConfig config)

  138. 			throws CanceledException, UnsupportedSigningFormatException {

  139. 		if (config != null && config.getKeyFormat() != GpgFormat.OPENPGP) {

  140. 			throw new UnsupportedSigningFormatException(

  141. 					JGitText.get().onlyOpenPgpSupportedForSigning);

  142. 		}

  143. 		try (BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt = new BouncyCastleGpgKeyPassphrasePrompt(

  144. 				credentialsProvider)) {

  145. 			BouncyCastleGpgKey gpgKey = locateSigningKey(gpgSigningKey,

  146. 					committer, passphrasePrompt);

  147. 			PGPSecretKey secretKey = gpgKey.getSecretKey();

  148. 			if (secretKey == null) {

  149. 				throw new JGitInternalException(

  150. 						BCText.get().unableToSignCommitNoSecretKey);

  151. 			}

  152. 			JcePBESecretKeyDecryptorBuilder decryptorBuilder = new JcePBESecretKeyDecryptorBuilder()

  153. 					.setProvider(BouncyCastleProvider.PROVIDER_NAME);

  154. 			PGPPrivateKey privateKey = null;

  155. 			if (!passphrasePrompt.hasPassphrase()) {

  156. 				// Either the key is not encrypted, or it was read from the

  157. 				// legacy secring.gpg. Try getting the private key without

  158. 				// passphrase first.

  159. 				try {

  160. 					privateKey = secretKey.extractPrivateKey(

  161. 							decryptorBuilder.build(new char[0]));

  162. 				} catch (PGPException e) {

  163. 					// Ignore and try again with passphrase below

  164. 				}

  165. 			}

  166. 			if (privateKey == null) {

  167. 				// Try using a passphrase

  168. 				char[] passphrase = passphrasePrompt.getPassphrase(

  169. 						secretKey.getPublicKey().getFingerprint(),

  170. 						gpgKey.getOrigin());

  171. 				privateKey = secretKey

  172. 						.extractPrivateKey(decryptorBuilder.build(passphrase));

  173. 			}

  174. 			PGPPublicKey publicKey = secretKey.getPublicKey();

  175. 			PGPSignatureGenerator signatureGenerator = new PGPSignatureGenerator(

  176. 					new JcaPGPContentSignerBuilder(

  177. 							publicKey.getAlgorithm(),

  178. 							HashAlgorithmTags.SHA256).setProvider(

  179. 									BouncyCastleProvider.PROVIDER_NAME));

  180. 			signatureGenerator.init(PGPSignature.BINARY_DOCUMENT, privateKey);

  181. 			PGPSignatureSubpacketGenerator subpackets = new PGPSignatureSubpacketGenerator();

  182. 			subpackets.setIssuerFingerprint(false, publicKey);

  183. 			// Also add the signer's user ID. Note that GPG uses only the e-mail

  184. 			// address part.

  185. 			String userId = committer.getEmailAddress();

  186. 			Iterator<String> userIds = publicKey.getUserIDs();

  187. 			if (userIds.hasNext()) {

  188. 				String keyUserId = userIds.next();

  189. 				if (!StringUtils.isEmptyOrNull(keyUserId)

  190. 						&& (userId == null || !keyUserId.contains(userId))) {

  191. 					// Not the committer's key?

  192. 					userId = extractSignerId(keyUserId);

  193. 				}

  194. 			}

  195. 			if (userId != null) {

  196. 				subpackets.setSignerUserID(false, userId);

  197. 			}

  198. 			signatureGenerator

  199. 					.setHashedSubpackets(subpackets.generate());

  200. 			ByteArrayOutputStream buffer = new ByteArrayOutputStream();

  201. 			try (BCPGOutputStream out = new BCPGOutputStream(

  202. 					new ArmoredOutputStream(buffer))) {

  203. 				signatureGenerator.update(object.build());

  204. 				signatureGenerator.generate().encode(out);

  205. 			}

  206. 			object.setGpgSignature(new GpgSignature(buffer.toByteArray()));

  207. 		} catch (PGPException | IOException | NoSuchAlgorithmException

  208. 				| NoSuchProviderException | URISyntaxException e) {

  209. 			throw new JGitInternalException(e.getMessage(), e);

  210. 		}

  211. 	}

  212. 

  213. 	private String extractSignerId(String pgpUserId) {

  214. 		int from = pgpUserId.indexOf('<');

  215. 		if (from >= 0) {

  216. 			int to = pgpUserId.indexOf('>', from + 1);

  217. 			if (to > from + 1) {

  218. 				return pgpUserId.substring(from + 1, to);

  219. 			}

  220. 		}

  221. 		return pgpUserId;

  222. 	}

  223. }