mirrors
/
jgit
огледало од https://github.com/eclipse/jgit.git
Прати 1
Волим 0
Креирај огранак 0
Код Дискусије 0 Издања 204 Вики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7904 Комити
49 Гране
Дрво: 80dcd94bfd
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from '80dcd94bfd'
${ noResults }
jgit/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/BouncyCastleGpgKeyLocator.java

BouncyCastleGpgKeyLocator.java 21KB
Датотека Blame Историја

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646 
  1. /*

  2.  * Copyright (C) 2018, 2020 Salesforce and others

  3.  *

  4.  * This program and the accompanying materials are made available under the

  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at

  6.  * https://www.eclipse.org/org/documents/edl-v10.php.

  7.  *

  8.  * SPDX-License-Identifier: BSD-3-Clause

  9.  */

  10. package org.eclipse.jgit.gpg.bc.internal;

  11. 

  12. import static java.nio.file.Files.exists;

  13. import static java.nio.file.Files.newInputStream;

  14. 

  15. import java.io.BufferedInputStream;

  16. import java.io.File;

  17. import java.io.IOException;

  18. import java.io.InputStream;

  19. import java.net.URISyntaxException;

  20. import java.nio.file.DirectoryStream;

  21. import java.nio.file.Files;

  22. import java.nio.file.InvalidPathException;

  23. import java.nio.file.Path;

  24. import java.nio.file.Paths;

  25. import java.security.NoSuchAlgorithmException;

  26. import java.security.NoSuchProviderException;

  27. import java.text.MessageFormat;

  28. import java.util.ArrayList;

  29. import java.util.Iterator;

  30. import java.util.List;

  31. import java.util.Locale;

  32. import java.util.stream.Collectors;

  33. import java.util.stream.Stream;

  34. 

  35. import org.bouncycastle.gpg.SExprParser;

  36. import org.bouncycastle.gpg.keybox.BlobType;

  37. import org.bouncycastle.gpg.keybox.KeyBlob;

  38. import org.bouncycastle.gpg.keybox.KeyBox;

  39. import org.bouncycastle.gpg.keybox.KeyInformation;

  40. import org.bouncycastle.gpg.keybox.PublicKeyRingBlob;

  41. import org.bouncycastle.gpg.keybox.UserID;

  42. import org.bouncycastle.gpg.keybox.jcajce.JcaKeyBoxBuilder;

  43. import org.bouncycastle.openpgp.PGPException;

  44. import org.bouncycastle.openpgp.PGPKeyFlags;

  45. import org.bouncycastle.openpgp.PGPPublicKey;

  46. import org.bouncycastle.openpgp.PGPPublicKeyRing;

  47. import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;

  48. import org.bouncycastle.openpgp.PGPSecretKey;

  49. import org.bouncycastle.openpgp.PGPSecretKeyRing;

  50. import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;

  51. import org.bouncycastle.openpgp.PGPSignature;

  52. import org.bouncycastle.openpgp.PGPUtil;

  53. import org.bouncycastle.openpgp.operator.PBEProtectionRemoverFactory;

  54. import org.bouncycastle.openpgp.operator.PGPDigestCalculatorProvider;

  55. import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;

  56. import org.bouncycastle.openpgp.operator.jcajce.JcaPGPDigestCalculatorProviderBuilder;

  57. import org.bouncycastle.openpgp.operator.jcajce.JcePBEProtectionRemoverFactory;

  58. import org.bouncycastle.util.encoders.Hex;

  59. import org.eclipse.jgit.annotations.NonNull;

  60. import org.eclipse.jgit.api.errors.CanceledException;

  61. import org.eclipse.jgit.errors.UnsupportedCredentialItem;

  62. import org.eclipse.jgit.util.FS;

  63. import org.eclipse.jgit.util.StringUtils;

  64. import org.eclipse.jgit.util.SystemReader;

  65. import org.slf4j.Logger;

  66. import org.slf4j.LoggerFactory;

  67. 

  68. /**

  69.  * Locates GPG keys from either <code>~/.gnupg/private-keys-v1.d</code> or

  70.  * <code>~/.gnupg/secring.gpg</code>

  71.  */

  72. public class BouncyCastleGpgKeyLocator {

  73. 

  74. 	/** Thrown if a keybox file exists but doesn't contain an OpenPGP key. */

  75. 	private static class NoOpenPgpKeyException extends Exception {

  76. 

  77. 		private static final long serialVersionUID = 1L;

  78. 

  79. 	}

  80. 

  81. 	/** Thrown if we try to read an encrypted private key without password. */

  82. 	private static class EncryptedPgpKeyException extends RuntimeException {

  83. 

  84. 		private static final long serialVersionUID = 1L;

  85. 

  86. 	}

  87. 

  88. 	private static final Logger log = LoggerFactory

  89. 			.getLogger(BouncyCastleGpgKeyLocator.class);

  90. 

  91. 	private static final Path GPG_DIRECTORY = findGpgDirectory();

  92. 

  93. 	private static final Path USER_KEYBOX_PATH = GPG_DIRECTORY

  94. 			.resolve("pubring.kbx"); //$NON-NLS-1$

  95. 

  96. 	private static final Path USER_SECRET_KEY_DIR = GPG_DIRECTORY

  97. 			.resolve("private-keys-v1.d"); //$NON-NLS-1$

  98. 

  99. 	private static final Path USER_PGP_PUBRING_FILE = GPG_DIRECTORY

  100. 			.resolve("pubring.gpg"); //$NON-NLS-1$

  101. 

  102. 	private static final Path USER_PGP_LEGACY_SECRING_FILE = GPG_DIRECTORY

  103. 			.resolve("secring.gpg"); //$NON-NLS-1$

  104. 

  105. 	private final String signingKey;

  106. 

  107. 	private BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt;

  108. 

  109. 	private static Path findGpgDirectory() {

  110. 		SystemReader system = SystemReader.getInstance();

  111. 		if (system.isWindows()) {

  112. 			// On Windows prefer %APPDATA%\gnupg if it exists, even if Cygwin is

  113. 			// used.

  114. 			String appData = system.getenv("APPDATA"); //$NON-NLS-1$

  115. 			if (appData != null && !appData.isEmpty()) {

  116. 				try {

  117. 					Path directory = Paths.get(appData).resolve("gnupg"); //$NON-NLS-1$

  118. 					if (Files.isDirectory(directory)) {

  119. 						return directory;

  120. 					}

  121. 				} catch (SecurityException | InvalidPathException e) {

  122. 					// Ignore and return the default location below.

  123. 				}

  124. 			}

  125. 		}

  126. 		// All systems, including Cygwin and even Windows if

  127. 		// %APPDATA%\gnupg doesn't exist: ~/.gnupg

  128. 		File home = FS.DETECTED.userHome();

  129. 		if (home == null) {

  130. 			// Oops. What now?

  131. 			home = new File(".").getAbsoluteFile(); //$NON-NLS-1$

  132. 		}

  133. 		return home.toPath().resolve(".gnupg"); //$NON-NLS-1$

  134. 	}

  135. 

  136. 	/**

  137. 	 * Create a new key locator for the specified signing key.

  138. 	 * <p>

  139. 	 * The signing key must either be a hex representation of a specific key or

  140. 	 * a user identity substring (eg., email address). All keys in the KeyBox

  141. 	 * will be looked up in the order as returned by the KeyBox. A key id will

  142. 	 * be searched before attempting to find a key by user id.

  143. 	 * </p>

  144. 	 *

  145. 	 * @param signingKey

  146. 	 *            the signing key to search for

  147. 	 * @param passphrasePrompt

  148. 	 *            the provider to use when asking for key passphrase

  149. 	 */

  150. 	public BouncyCastleGpgKeyLocator(String signingKey,

  151. 			@NonNull BouncyCastleGpgKeyPassphrasePrompt passphrasePrompt) {

  152. 		this.signingKey = signingKey;

  153. 		this.passphrasePrompt = passphrasePrompt;

  154. 	}

  155. 

  156. 	private PGPSecretKey attemptParseSecretKey(Path keyFile,

  157. 			PGPDigestCalculatorProvider calculatorProvider,

  158. 			PBEProtectionRemoverFactory passphraseProvider,

  159. 			PGPPublicKey publicKey) {

  160. 		try (InputStream in = newInputStream(keyFile)) {

  161. 			return new SExprParser(calculatorProvider).parseSecretKey(

  162. 					new BufferedInputStream(in), passphraseProvider, publicKey);

  163. 		} catch (IOException | PGPException | ClassCastException e) {

  164. 			if (log.isDebugEnabled())

  165. 				log.debug("Ignoring unreadable file '{}': {}", keyFile, //$NON-NLS-1$

  166. 						e.getMessage(), e);

  167. 			return null;

  168. 		}

  169. 	}

  170. 

  171. 	/**

  172. 	 * Checks whether a given OpenPGP {@code userId} matches a given

  173. 	 * {@code signingKeySpec}, which is supposed to have one of the formats

  174. 	 * defined by GPG.

  175. 	 * <p>

  176. 	 * Not all formats are supported; only formats starting with '=', '&lt;',

  177. 	 * '@', and '*' are handled. Any other format results in a case-insensitive

  178. 	 * substring match.

  179. 	 * </p>

  180. 	 *

  181. 	 * @param userId

  182. 	 *            of a key

  183. 	 * @param signingKeySpec

  184. 	 *            GPG key identification

  185. 	 * @return whether the {@code userId} matches

  186. 	 * @see <a href=

  187. 	 *      "https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html">GPG

  188. 	 *      Documentation: How to Specify a User ID</a>

  189. 	 */

  190. 	static boolean containsSigningKey(String userId, String signingKeySpec) {

  191. 		if (StringUtils.isEmptyOrNull(userId)

  192. 				|| StringUtils.isEmptyOrNull(signingKeySpec)) {

  193. 			return false;

  194. 		}

  195. 		String toMatch = signingKeySpec;

  196. 		if (toMatch.startsWith("0x") && toMatch.trim().length() > 2) { //$NON-NLS-1$

  197. 			return false; // Explicit fingerprint

  198. 		}

  199. 		int command = toMatch.charAt(0);

  200. 		switch (command) {

  201. 		case '=':

  202. 		case '<':

  203. 		case '@':

  204. 		case '*':

  205. 			toMatch = toMatch.substring(1);

  206. 			if (toMatch.isEmpty()) {

  207. 				return false;

  208. 			}

  209. 			break;

  210. 		default:

  211. 			break;

  212. 		}

  213. 		switch (command) {

  214. 		case '=':

  215. 			return userId.equals(toMatch);

  216. 		case '<': {

  217. 			int begin = userId.indexOf('<');

  218. 			int end = userId.indexOf('>', begin + 1);

  219. 			int stop = toMatch.indexOf('>');

  220. 			return begin >= 0 && end > begin + 1 && stop > 0

  221. 					&& userId.substring(begin + 1, end)

  222. 							.equals(toMatch.substring(0, stop));

  223. 		}

  224. 		case '@': {

  225. 			int begin = userId.indexOf('<');

  226. 			int end = userId.indexOf('>', begin + 1);

  227. 			return begin >= 0 && end > begin + 1

  228. 					&& userId.substring(begin + 1, end).contains(toMatch);

  229. 		}

  230. 		default:

  231. 			if (toMatch.trim().isEmpty()) {

  232. 				return false;

  233. 			}

  234. 			return userId.toLowerCase(Locale.ROOT)

  235. 					.contains(toMatch.toLowerCase(Locale.ROOT));

  236. 		}

  237. 	}

  238. 

  239. 	private String toFingerprint(String keyId) {

  240. 		if (keyId.startsWith("0x")) { //$NON-NLS-1$

  241. 			return keyId.substring(2);

  242. 		}

  243. 		return keyId;

  244. 	}

  245. 

  246. 	private PGPPublicKey findPublicKeyByKeyId(KeyBlob keyBlob)

  247. 			throws IOException {

  248. 		String keyId = toFingerprint(signingKey).toLowerCase(Locale.ROOT);

  249. 		if (keyId.isEmpty()) {

  250. 			return null;

  251. 		}

  252. 		for (KeyInformation keyInfo : keyBlob.getKeyInformation()) {

  253. 			String fingerprint = Hex.toHexString(keyInfo.getFingerprint())

  254. 					.toLowerCase(Locale.ROOT);

  255. 			if (fingerprint.endsWith(keyId)) {

  256. 				return getPublicKey(keyBlob, keyInfo.getFingerprint());

  257. 			}

  258. 		}

  259. 		return null;

  260. 	}

  261. 

  262. 	private PGPPublicKey findPublicKeyByUserId(KeyBlob keyBlob)

  263. 			throws IOException {

  264. 		for (UserID userID : keyBlob.getUserIds()) {

  265. 			if (containsSigningKey(userID.getUserIDAsString(), signingKey)) {

  266. 				return getSigningPublicKey(keyBlob);

  267. 			}

  268. 		}

  269. 		return null;

  270. 	}

  271. 

  272. 	/**

  273. 	 * Finds a public key associated with the signing key.

  274. 	 *

  275. 	 * @param keyboxFile

  276. 	 *            the KeyBox file

  277. 	 * @return publicKey the public key (maybe <code>null</code>)

  278. 	 * @throws IOException

  279. 	 *             in case of problems reading the file

  280. 	 * @throws NoSuchAlgorithmException

  281. 	 * @throws NoSuchProviderException

  282. 	 * @throws NoOpenPgpKeyException

  283. 	 *             if the file does not contain any OpenPGP key

  284. 	 */

  285. 	private PGPPublicKey findPublicKeyInKeyBox(Path keyboxFile)

  286. 			throws IOException, NoSuchAlgorithmException,

  287. 			NoSuchProviderException, NoOpenPgpKeyException {

  288. 		KeyBox keyBox = readKeyBoxFile(keyboxFile);

  289. 		boolean hasOpenPgpKey = false;

  290. 		for (KeyBlob keyBlob : keyBox.getKeyBlobs()) {

  291. 			if (keyBlob.getType() == BlobType.OPEN_PGP_BLOB) {

  292. 				hasOpenPgpKey = true;

  293. 				PGPPublicKey key = findPublicKeyByKeyId(keyBlob);

  294. 				if (key != null) {

  295. 					return key;

  296. 				}

  297. 				key = findPublicKeyByUserId(keyBlob);

  298. 				if (key != null) {

  299. 					return key;

  300. 				}

  301. 			}

  302. 		}

  303. 		if (!hasOpenPgpKey) {

  304. 			throw new NoOpenPgpKeyException();

  305. 		}

  306. 		return null;

  307. 	}

  308. 

  309. 	/**

  310. 	 * If there is a private key directory containing keys, use pubring.kbx or

  311. 	 * pubring.gpg to find the public key; then try to find the secret key in

  312. 	 * the directory.

  313. 	 * <p>

  314. 	 * If there is no private key directory (or it doesn't contain any keys),

  315. 	 * try to find the key in secring.gpg directly.

  316. 	 * </p>

  317. 	 *

  318. 	 * @return the secret key

  319. 	 * @throws IOException

  320. 	 *             in case of issues reading key files

  321. 	 * @throws NoSuchAlgorithmException

  322. 	 * @throws NoSuchProviderException

  323. 	 * @throws PGPException

  324. 	 *             in case of issues finding a key, including no key found

  325. 	 * @throws CanceledException

  326. 	 * @throws URISyntaxException

  327. 	 * @throws UnsupportedCredentialItem

  328. 	 */

  329. 	@NonNull

  330. 	public BouncyCastleGpgKey findSecretKey() throws IOException,

  331. 			NoSuchAlgorithmException, NoSuchProviderException, PGPException,

  332. 			CanceledException, UnsupportedCredentialItem, URISyntaxException {

  333. 		BouncyCastleGpgKey key;

  334. 		PGPPublicKey publicKey = null;

  335. 		if (hasKeyFiles(USER_SECRET_KEY_DIR)) {

  336. 			// Use pubring.kbx or pubring.gpg to find the public key, then try

  337. 			// the key files in the directory. If the public key was found in

  338. 			// pubring.gpg also try secring.gpg to find the secret key.

  339. 			if (exists(USER_KEYBOX_PATH)) {

  340. 				try {

  341. 					publicKey = findPublicKeyInKeyBox(USER_KEYBOX_PATH);

  342. 					if (publicKey != null) {

  343. 						key = findSecretKeyForKeyBoxPublicKey(publicKey,

  344. 								USER_KEYBOX_PATH);

  345. 						if (key != null) {

  346. 							return key;

  347. 						}

  348. 						throw new PGPException(MessageFormat.format(

  349. 								BCText.get().gpgNoSecretKeyForPublicKey,

  350. 								Long.toHexString(publicKey.getKeyID())));

  351. 					}

  352. 					throw new PGPException(MessageFormat.format(

  353. 							BCText.get().gpgNoPublicKeyFound, signingKey));

  354. 				} catch (NoOpenPgpKeyException e) {

  355. 					// There are no OpenPGP keys in the keybox at all: try the

  356. 					// pubring.gpg, if it exists.

  357. 					if (log.isDebugEnabled()) {

  358. 						log.debug("{} does not contain any OpenPGP keys", //$NON-NLS-1$

  359. 								USER_KEYBOX_PATH);

  360. 					}

  361. 				}

  362. 			}

  363. 			if (exists(USER_PGP_PUBRING_FILE)) {

  364. 				publicKey = findPublicKeyInPubring(USER_PGP_PUBRING_FILE);

  365. 				if (publicKey != null) {

  366. 					// GPG < 2.1 may have both; the agent using the directory

  367. 					// and gpg using secring.gpg. GPG >= 2.1 delegates all

  368. 					// secret key handling to the agent and doesn't use

  369. 					// secring.gpg at all, even if it exists. Which means for us

  370. 					// we have to try both since we don't know which GPG version

  371. 					// the user has.

  372. 					key = findSecretKeyForKeyBoxPublicKey(publicKey,

  373. 							USER_PGP_PUBRING_FILE);

  374. 					if (key != null) {

  375. 						return key;

  376. 					}

  377. 				}

  378. 			}

  379. 			if (publicKey == null) {

  380. 				throw new PGPException(MessageFormat.format(

  381. 						BCText.get().gpgNoPublicKeyFound, signingKey));

  382. 			}

  383. 			// We found a public key, but didn't find the secret key in the

  384. 			// private key directory. Go try the secring.gpg.

  385. 		}

  386. 		boolean hasSecring = false;

  387. 		if (exists(USER_PGP_LEGACY_SECRING_FILE)) {

  388. 			hasSecring = true;

  389. 			key = loadKeyFromSecring(USER_PGP_LEGACY_SECRING_FILE);

  390. 			if (key != null) {

  391. 				return key;

  392. 			}

  393. 		}

  394. 		if (publicKey != null) {

  395. 			throw new PGPException(MessageFormat.format(

  396. 					BCText.get().gpgNoSecretKeyForPublicKey,

  397. 					Long.toHexString(publicKey.getKeyID())));

  398. 		} else if (hasSecring) {

  399. 			// publicKey == null: user has _only_ pubring.gpg/secring.gpg.

  400. 			throw new PGPException(MessageFormat.format(

  401. 					BCText.get().gpgNoKeyInLegacySecring, signingKey));

  402. 		} else {

  403. 			throw new PGPException(BCText.get().gpgNoKeyring);

  404. 		}

  405. 	}

  406. 

  407. 	private boolean hasKeyFiles(Path dir) {

  408. 		try (DirectoryStream<Path> contents = Files.newDirectoryStream(dir,

  409. 				"*.key")) { //$NON-NLS-1$

  410. 			return contents.iterator().hasNext();

  411. 		} catch (IOException e) {

  412. 			// Not a directory, or something else

  413. 			return false;

  414. 		}

  415. 	}

  416. 

  417. 	private BouncyCastleGpgKey loadKeyFromSecring(Path secring)

  418. 			throws IOException, PGPException {

  419. 		PGPSecretKey secretKey = findSecretKeyInLegacySecring(signingKey,

  420. 				secring);

  421. 

  422. 		if (secretKey != null) {

  423. 			if (!secretKey.isSigningKey()) {

  424. 				throw new PGPException(MessageFormat

  425. 						.format(BCText.get().gpgNotASigningKey, signingKey));

  426. 			}

  427. 			return new BouncyCastleGpgKey(secretKey, secring);

  428. 		}

  429. 		return null;

  430. 	}

  431. 

  432. 	private BouncyCastleGpgKey findSecretKeyForKeyBoxPublicKey(

  433. 			PGPPublicKey publicKey, Path userKeyboxPath)

  434. 			throws PGPException, CanceledException, UnsupportedCredentialItem,

  435. 			URISyntaxException {

  436. 		/*

  437. 		 * this is somewhat brute-force but there doesn't seem to be another

  438. 		 * way; we have to walk all private key files we find and try to open

  439. 		 * them

  440. 		 */

  441. 

  442. 		PGPDigestCalculatorProvider calculatorProvider = new JcaPGPDigestCalculatorProviderBuilder()

  443. 				.build();

  444. 

  445. 		try (Stream<Path> keyFiles = Files.walk(USER_SECRET_KEY_DIR)) {

  446. 			List<Path> allPaths = keyFiles.filter(Files::isRegularFile)

  447. 					.collect(Collectors.toCollection(ArrayList::new));

  448. 			if (allPaths.isEmpty()) {

  449. 				return null;

  450. 			}

  451. 			PBEProtectionRemoverFactory passphraseProvider = p -> {

  452. 				throw new EncryptedPgpKeyException();

  453. 			};

  454. 			for (int attempts = 0; attempts < 2; attempts++) {

  455. 				// Second pass will traverse only the encrypted keys with a real

  456. 				// passphrase provider.

  457. 				Iterator<Path> pathIterator = allPaths.iterator();

  458. 				while (pathIterator.hasNext()) {

  459. 					Path keyFile = pathIterator.next();

  460. 					try {

  461. 						PGPSecretKey secretKey = attemptParseSecretKey(keyFile,

  462. 								calculatorProvider, passphraseProvider,

  463. 								publicKey);

  464. 						pathIterator.remove();

  465. 						if (secretKey != null) {

  466. 							if (!secretKey.isSigningKey()) {

  467. 								throw new PGPException(MessageFormat.format(

  468. 										BCText.get().gpgNotASigningKey,

  469. 										signingKey));

  470. 							}

  471. 							return new BouncyCastleGpgKey(secretKey,

  472. 									userKeyboxPath);

  473. 						}

  474. 					} catch (EncryptedPgpKeyException e) {

  475. 						// Ignore; we'll try again.

  476. 					}

  477. 				}

  478. 				if (attempts > 0 || allPaths.isEmpty()) {

  479. 					break;

  480. 				}

  481. 				// allPaths contains only the encrypted keys now.

  482. 				passphraseProvider = new JcePBEProtectionRemoverFactory(

  483. 						passphrasePrompt.getPassphrase(

  484. 								publicKey.getFingerprint(), userKeyboxPath));

  485. 			}

  486. 

  487. 			passphrasePrompt.clear();

  488. 			return null;

  489. 		} catch (RuntimeException e) {

  490. 			passphrasePrompt.clear();

  491. 			throw e;

  492. 		} catch (IOException e) {

  493. 			passphrasePrompt.clear();

  494. 			throw new PGPException(MessageFormat.format(

  495. 					BCText.get().gpgFailedToParseSecretKey,

  496. 					USER_SECRET_KEY_DIR.toAbsolutePath()), e);

  497. 		}

  498. 	}

  499. 

  500. 	/**

  501. 	 * Return the first suitable key for signing in the key ring collection. For

  502. 	 * this case we only expect there to be one key available for signing.

  503. 	 * </p>

  504. 	 *

  505. 	 * @param signingkey

  506. 	 * @param secringFile

  507. 	 *

  508. 	 * @return the first suitable PGP secret key found for signing

  509. 	 * @throws IOException

  510. 	 *             on I/O related errors

  511. 	 * @throws PGPException

  512. 	 *             on BouncyCastle errors

  513. 	 */

  514. 	private PGPSecretKey findSecretKeyInLegacySecring(String signingkey,

  515. 			Path secringFile) throws IOException, PGPException {

  516. 

  517. 		try (InputStream in = newInputStream(secringFile)) {

  518. 			PGPSecretKeyRingCollection pgpSec = new PGPSecretKeyRingCollection(

  519. 					PGPUtil.getDecoderStream(new BufferedInputStream(in)),

  520. 					new JcaKeyFingerprintCalculator());

  521. 

  522. 			String keyId = toFingerprint(signingkey).toLowerCase(Locale.ROOT);

  523. 			Iterator<PGPSecretKeyRing> keyrings = pgpSec.getKeyRings();

  524. 			while (keyrings.hasNext()) {

  525. 				PGPSecretKeyRing keyRing = keyrings.next();

  526. 				Iterator<PGPSecretKey> keys = keyRing.getSecretKeys();

  527. 				while (keys.hasNext()) {

  528. 					PGPSecretKey key = keys.next();

  529. 					// try key id

  530. 					String fingerprint = Hex

  531. 							.toHexString(key.getPublicKey().getFingerprint())

  532. 							.toLowerCase(Locale.ROOT);

  533. 					if (fingerprint.endsWith(keyId)) {

  534. 						return key;

  535. 					}

  536. 					// try user id

  537. 					Iterator<String> userIDs = key.getUserIDs();

  538. 					while (userIDs.hasNext()) {

  539. 						String userId = userIDs.next();

  540. 						if (containsSigningKey(userId, signingKey)) {

  541. 							return key;

  542. 						}

  543. 					}

  544. 				}

  545. 			}

  546. 		}

  547. 		return null;

  548. 	}

  549. 

  550. 	/**

  551. 	 * Return the first public key matching the key id ({@link #signingKey}.

  552. 	 *

  553. 	 * @param pubringFile

  554. 	 *

  555. 	 * @return the PGP public key, or {@code null} if none found

  556. 	 * @throws IOException

  557. 	 *             on I/O related errors

  558. 	 * @throws PGPException

  559. 	 *             on BouncyCastle errors

  560. 	 */

  561. 	private PGPPublicKey findPublicKeyInPubring(Path pubringFile)

  562. 			throws IOException, PGPException {

  563. 		try (InputStream in = newInputStream(pubringFile)) {

  564. 			PGPPublicKeyRingCollection pgpPub = new PGPPublicKeyRingCollection(

  565. 					new BufferedInputStream(in),

  566. 					new JcaKeyFingerprintCalculator());

  567. 

  568. 			String keyId = toFingerprint(signingKey).toLowerCase(Locale.ROOT);

  569. 			Iterator<PGPPublicKeyRing> keyrings = pgpPub.getKeyRings();

  570. 			while (keyrings.hasNext()) {

  571. 				PGPPublicKeyRing keyRing = keyrings.next();

  572. 				Iterator<PGPPublicKey> keys = keyRing.getPublicKeys();

  573. 				while (keys.hasNext()) {

  574. 					PGPPublicKey key = keys.next();

  575. 					// try key id

  576. 					String fingerprint = Hex.toHexString(key.getFingerprint())

  577. 							.toLowerCase(Locale.ROOT);

  578. 					if (fingerprint.endsWith(keyId)) {

  579. 						return key;

  580. 					}

  581. 					// try user id

  582. 					Iterator<String> userIDs = key.getUserIDs();

  583. 					while (userIDs.hasNext()) {

  584. 						String userId = userIDs.next();

  585. 						if (containsSigningKey(userId, signingKey)) {

  586. 							return key;

  587. 						}

  588. 					}

  589. 				}

  590. 			}

  591. 		}

  592. 		return null;

  593. 	}

  594. 

  595. 	private PGPPublicKey getPublicKey(KeyBlob blob, byte[] fingerprint)

  596. 			throws IOException {

  597. 		return ((PublicKeyRingBlob) blob).getPGPPublicKeyRing()

  598. 				.getPublicKey(fingerprint);

  599. 	}

  600. 

  601. 	private PGPPublicKey getSigningPublicKey(KeyBlob blob) throws IOException {

  602. 		PGPPublicKey masterKey = null;

  603. 		Iterator<PGPPublicKey> keys = ((PublicKeyRingBlob) blob)

  604. 				.getPGPPublicKeyRing().getPublicKeys();

  605. 		while (keys.hasNext()) {

  606. 			PGPPublicKey key = keys.next();

  607. 			// only consider keys that have the [S] usage flag set

  608. 			if (isSigningKey(key)) {

  609. 				if (key.isMasterKey()) {

  610. 					masterKey = key;

  611. 				} else {

  612. 					return key;

  613. 				}

  614. 			}

  615. 		}

  616. 		// return the master key if no other signing key was found or null if

  617. 		// the master key did not have the signing flag set

  618. 		return masterKey;

  619. 	}

  620. 

  621. 	private boolean isSigningKey(PGPPublicKey key) {

  622. 		Iterator signatures = key.getSignatures();

  623. 		while (signatures.hasNext()) {

  624. 			PGPSignature sig = (PGPSignature) signatures.next();

  625. 			if ((sig.getHashedSubPackets().getKeyFlags()

  626. 					& PGPKeyFlags.CAN_SIGN) > 0) {

  627. 				return true;

  628. 			}

  629. 		}

  630. 		return false;

  631. 	}

  632. 

  633. 	private KeyBox readKeyBoxFile(Path keyboxFile) throws IOException,

  634. 			NoSuchAlgorithmException, NoSuchProviderException,

  635. 			NoOpenPgpKeyException {

  636. 		if (keyboxFile.toFile().length() == 0) {

  637. 			throw new NoOpenPgpKeyException();

  638. 		}

  639. 		KeyBox keyBox;

  640. 		try (InputStream in = new BufferedInputStream(

  641. 				newInputStream(keyboxFile))) {

  642. 			keyBox = new JcaKeyBoxBuilder().build(in);

  643. 		}

  644. 		return keyBox;

  645. 	}

  646. }