mirrors
/
jgit
mirror of https://github.com/eclipse/jgit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 204 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8256 Commits
49 Branches
Tree: f659797199
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f659797199'
${ noResults }
jgit/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/keys/KeyGrip.java

KeyGrip.java 11KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322 
  1. /*

  2.  * Copyright (C) 2021, Thomas Wolf <thomas.wolf@paranor.ch> and others

  3.  *

  4.  * This program and the accompanying materials are made available under the

  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at

  6.  * https://www.eclipse.org/org/documents/edl-v10.php.

  7.  *

  8.  * SPDX-License-Identifier: BSD-3-Clause

  9.  */

  10. package org.eclipse.jgit.gpg.bc.internal.keys;

  11. 

  12. import java.math.BigInteger;

  13. import java.nio.charset.StandardCharsets;

  14. import java.text.MessageFormat;

  15. import java.util.Arrays;

  16. 

  17. import org.bouncycastle.asn1.ASN1ObjectIdentifier;

  18. import org.bouncycastle.asn1.cryptlib.CryptlibObjectIdentifiers;

  19. import org.bouncycastle.asn1.x9.ECNamedCurveTable;

  20. import org.bouncycastle.asn1.x9.X9ECParameters;

  21. import org.bouncycastle.bcpg.DSAPublicBCPGKey;

  22. import org.bouncycastle.bcpg.ECPublicBCPGKey;

  23. import org.bouncycastle.bcpg.ElGamalPublicBCPGKey;

  24. import org.bouncycastle.bcpg.PublicKeyAlgorithmTags;

  25. import org.bouncycastle.bcpg.RSAPublicBCPGKey;

  26. import org.bouncycastle.crypto.ec.CustomNamedCurves;

  27. import org.bouncycastle.math.ec.ECAlgorithms;

  28. import org.bouncycastle.math.field.FiniteField;

  29. import org.bouncycastle.openpgp.PGPException;

  30. import org.bouncycastle.openpgp.PGPPublicKey;

  31. import org.bouncycastle.util.encoders.Hex;

  32. import org.eclipse.jgit.annotations.NonNull;

  33. import org.eclipse.jgit.gpg.bc.internal.BCText;

  34. import org.eclipse.jgit.util.sha1.SHA1;

  35. 

  36. /**

  37.  * Utilities to compute the <em>keygrip</em> of a key. A keygrip is a SHA1 hash

  38.  * over the public key parameters and is used internally by the gpg-agent to

  39.  * find the secret key belonging to a public key: the secret key is stored in a

  40.  * file under ~/.gnupg/private-keys-v1.d/ with a name "&lt;keygrip>.key". While

  41.  * this storage organization is an implementation detail of GPG, the way

  42.  * keygrips are computed is not; they are computed by libgcrypt and their

  43.  * definition is stable.

  44.  */

  45. public final class KeyGrip {

  46. 

  47. 	// Some OIDs apparently unknown to BouncyCastle.

  48. 

  49. 	private static String OID_OPENPGP_ED25519 = "1.3.6.1.4.1.11591.15.1"; //$NON-NLS-1$

  50. 

  51. 	private static String OID_RFC8410_CURVE25519 = "1.3.101.110"; //$NON-NLS-1$

  52. 

  53. 	private static String OID_RFC8410_ED25519 = "1.3.101.112"; //$NON-NLS-1$

  54. 

  55. 	private KeyGrip() {

  56. 		// No instantiation

  57. 	}

  58. 

  59. 	/**

  60. 	 * Computes the keygrip for a {@link PGPPublicKey}.

  61. 	 *

  62. 	 * @param publicKey

  63. 	 *            to get the keygrip of

  64. 	 * @return the keygrip

  65. 	 * @throws PGPException

  66. 	 *             if an unknown key type is encountered.

  67. 	 */

  68. 	@NonNull

  69. 	public static byte[] getKeyGrip(PGPPublicKey publicKey)

  70. 			throws PGPException {

  71. 		SHA1 grip = SHA1.newInstance();

  72. 		grip.setDetectCollision(false);

  73. 

  74. 		switch (publicKey.getAlgorithm()) {

  75. 		case PublicKeyAlgorithmTags.RSA_GENERAL:

  76. 		case PublicKeyAlgorithmTags.RSA_ENCRYPT:

  77. 		case PublicKeyAlgorithmTags.RSA_SIGN:

  78. 			BigInteger modulus = ((RSAPublicBCPGKey) publicKey

  79. 					.getPublicKeyPacket().getKey()).getModulus();

  80. 			hash(grip, modulus.toByteArray());

  81. 			break;

  82. 		case PublicKeyAlgorithmTags.DSA:

  83. 			DSAPublicBCPGKey dsa = (DSAPublicBCPGKey) publicKey

  84. 					.getPublicKeyPacket().getKey();

  85. 			hash(grip, dsa.getP().toByteArray(), 'p', true);

  86. 			hash(grip, dsa.getQ().toByteArray(), 'q', true);

  87. 			hash(grip, dsa.getG().toByteArray(), 'g', true);

  88. 			hash(grip, dsa.getY().toByteArray(), 'y', true);

  89. 			break;

  90. 		case PublicKeyAlgorithmTags.ELGAMAL_GENERAL:

  91. 		case PublicKeyAlgorithmTags.ELGAMAL_ENCRYPT:

  92. 			ElGamalPublicBCPGKey eg = (ElGamalPublicBCPGKey) publicKey

  93. 					.getPublicKeyPacket().getKey();

  94. 			hash(grip, eg.getP().toByteArray(), 'p', true);

  95. 			hash(grip, eg.getG().toByteArray(), 'g', true);

  96. 			hash(grip, eg.getY().toByteArray(), 'y', true);

  97. 			break;

  98. 		case PublicKeyAlgorithmTags.ECDH:

  99. 		case PublicKeyAlgorithmTags.ECDSA:

  100. 		case PublicKeyAlgorithmTags.EDDSA:

  101. 			ECPublicBCPGKey ec = (ECPublicBCPGKey) publicKey

  102. 					.getPublicKeyPacket().getKey();

  103. 			ASN1ObjectIdentifier curveOID = ec.getCurveOID();

  104. 			// BC doesn't know these OIDs.

  105. 			if (OID_OPENPGP_ED25519.equals(curveOID.getId())

  106. 					|| OID_RFC8410_ED25519.equals(curveOID.getId())) {

  107. 				return hashEd25519(grip, ec.getEncodedPoint());

  108. 			} else if (CryptlibObjectIdentifiers.curvey25519.equals(curveOID)

  109. 					|| OID_RFC8410_CURVE25519.equals(curveOID.getId())) {

  110. 				// curvey25519 actually is the OpenPGP OID for Curve25519 and is

  111. 				// known to BC, but the parameters are for the short Weierstrass

  112. 				// form. See https://github.com/bcgit/bc-java/issues/399 .

  113. 				// libgcrypt uses Montgomery form.

  114. 				return hashCurve25519(grip, ec.getEncodedPoint());

  115. 			}

  116. 			X9ECParameters params = getX9Parameters(curveOID);

  117. 			if (params == null) {

  118. 				throw new PGPException(MessageFormat

  119. 						.format(BCText.get().unknownCurve, curveOID.getId()));

  120. 			}

  121. 			// Need to write p, a, b, g, n, q

  122. 			BigInteger q = ec.getEncodedPoint();

  123. 			byte[] g = params.getG().getEncoded(false);

  124. 			BigInteger a = params.getCurve().getA().toBigInteger();

  125. 			BigInteger b = params.getCurve().getB().toBigInteger();

  126. 			BigInteger n = params.getN();

  127. 			BigInteger p = null;

  128. 			FiniteField field = params.getCurve().getField();

  129. 			if (ECAlgorithms.isFpField(field)) {

  130. 				p = field.getCharacteristic();

  131. 			}

  132. 			if (p == null) {

  133. 				// Don't know...

  134. 				throw new PGPException(MessageFormat.format(

  135. 						BCText.get().unknownCurveParameters, curveOID.getId()));

  136. 			}

  137. 			hash(grip, p.toByteArray(), 'p', false);

  138. 			hash(grip, a.toByteArray(), 'a', false);

  139. 			hash(grip, b.toByteArray(), 'b', false);

  140. 			hash(grip, g, 'g', false);

  141. 			hash(grip, n.toByteArray(), 'n', false);

  142. 			if (publicKey.getAlgorithm() == PublicKeyAlgorithmTags.EDDSA) {

  143. 				hashQ25519(grip, q);

  144. 			} else {

  145. 				hash(grip, q.toByteArray(), 'q', false);

  146. 			}

  147. 			break;

  148. 		default:

  149. 			throw new PGPException(

  150. 					MessageFormat.format(BCText.get().unknownKeyType,

  151. 							Integer.toString(publicKey.getAlgorithm())));

  152. 		}

  153. 		return grip.digest();

  154. 	}

  155. 

  156. 	private static void hash(SHA1 grip, byte[] data) {

  157. 		// Need to skip leading zero bytes

  158. 		int i = 0;

  159. 		while (i < data.length && data[i] == 0) {

  160. 			i++;

  161. 		}

  162. 		int length = data.length - i;

  163. 		if (i < data.length) {

  164. 			if ((data[i] & 0x80) != 0) {

  165. 				grip.update((byte) 0);

  166. 			}

  167. 			grip.update(data, i, length);

  168. 		}

  169. 	}

  170. 

  171. 	private static void hash(SHA1 grip, byte[] data, char id, boolean zeroPad) {

  172. 		// Need to skip leading zero bytes

  173. 		int i = 0;

  174. 		while (i < data.length && data[i] == 0) {

  175. 			i++;

  176. 		}

  177. 		int length = data.length - i;

  178. 		boolean addZero = false;

  179. 		if (i < data.length && zeroPad && (data[i] & 0x80) != 0) {

  180. 			addZero = true;

  181. 		}

  182. 		// libgcrypt includes an SExp in the hash

  183. 		String prefix = "(1:" + id + (addZero ? length + 1 : length) + ':'; //$NON-NLS-1$

  184. 		grip.update(prefix.getBytes(StandardCharsets.US_ASCII));

  185. 		// For some items, gcrypt prepends a zero byte if the high bit is set

  186. 		if (addZero) {

  187. 			grip.update((byte) 0);

  188. 		}

  189. 		if (i < data.length) {

  190. 			grip.update(data, i, length);

  191. 		}

  192. 		grip.update((byte) ')');

  193. 	}

  194. 

  195. 	private static void hashQ25519(SHA1 grip, BigInteger q)

  196. 			throws PGPException {

  197. 		byte[] data = q.toByteArray();

  198. 		switch (data[0]) {

  199. 		case 0x04:

  200. 			if (data.length != 65) {

  201. 				throw new PGPException(MessageFormat.format(

  202. 						BCText.get().corrupt25519Key, Hex.toHexString(data)));

  203. 			}

  204. 			// Uncompressed: should not occur with ed25519 or curve25519

  205. 			throw new PGPException(MessageFormat.format(

  206. 					BCText.get().uncompressed25519Key, Hex.toHexString(data)));

  207. 		case 0x40:

  208. 			if (data.length != 33) {

  209. 				throw new PGPException(MessageFormat.format(

  210. 						BCText.get().corrupt25519Key, Hex.toHexString(data)));

  211. 			}

  212. 			// Compressed; normal case. Skip prefix.

  213. 			hash(grip, Arrays.copyOfRange(data, 1, data.length), 'q', false);

  214. 			break;

  215. 		default:

  216. 			if (data.length != 32) {

  217. 				throw new PGPException(MessageFormat.format(

  218. 						BCText.get().corrupt25519Key, Hex.toHexString(data)));

  219. 			}

  220. 			// Compressed format without prefix. Should not occur?

  221. 			hash(grip, data, 'q', false);

  222. 			break;

  223. 		}

  224. 	}

  225. 

  226. 	/**

  227. 	 * Computes the keygrip for an ed25519 public key.

  228. 	 * <p>

  229. 	 * Package-visible for tests only.

  230. 	 * </p>

  231. 	 *

  232. 	 * @param grip

  233. 	 *            initialized {@link SHA1}

  234. 	 * @param q

  235. 	 *            the public key's EC point

  236. 	 * @return the keygrip

  237. 	 * @throws PGPException

  238. 	 *             if q indicates uncompressed format

  239. 	 */

  240. 	@SuppressWarnings("nls")

  241. 	static byte[] hashEd25519(SHA1 grip, BigInteger q) throws PGPException {

  242. 		// For the values, see RFC 7748: https://tools.ietf.org/html/rfc7748

  243. 		// p = 2^255 - 19

  244. 		hash(grip, Hex.decodeStrict(

  245. 				"7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED"),

  246. 				'p', false);

  247. 		// Field: a = 1

  248. 		hash(grip, new byte[] { 0x01 }, 'a', false);

  249. 		// Field: b = 121665/121666 (mod p)

  250. 		// See Berstein et.al., "Twisted Edwards Curves",

  251. 		// https://doi.org/10.1007/978-3-540-68164-9_26

  252. 		hash(grip, Hex.decodeStrict(

  253. 				"2DFC9311D490018C7338BF8688861767FF8FF5B2BEBE27548A14B235ECA6874A"),

  254. 				'b', false);

  255. 		// Generator point with affine X,Y

  256. 		// @formatter:off

  257. 		// X(P) = 15112221349535400772501151409588531511454012693041857206046113283949847762202

  258. 		// Y(P) = 46316835694926478169428394003475163141307993866256225615783033603165251855960

  259. 		// the "04" signifies uncompressed format.

  260. 		// @formatter:on

  261. 		hash(grip, Hex.decodeStrict("04"

  262. 				+ "216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A"

  263. 				+ "6666666666666666666666666666666666666666666666666666666666666658"),

  264. 				'g', false);

  265. 		// order = 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed

  266. 		hash(grip, Hex.decodeStrict(

  267. 				"1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED"),

  268. 				'n', false);

  269. 		hashQ25519(grip, q);

  270. 		return grip.digest();

  271. 	}

  272. 

  273. 	/**

  274. 	 * Computes the keygrip for a curve25519 public key.

  275. 	 * <p>

  276. 	 * Package-visible for tests only.

  277. 	 * </p>

  278. 	 *

  279. 	 * @param grip

  280. 	 *            initialized {@link SHA1}

  281. 	 * @param q

  282. 	 *            the public key's EC point

  283. 	 * @return the keygrip

  284. 	 * @throws PGPException

  285. 	 *             if q indicates uncompressed format

  286. 	 */

  287. 	@SuppressWarnings("nls")

  288. 	static byte[] hashCurve25519(SHA1 grip, BigInteger q) throws PGPException {

  289. 		hash(grip, Hex.decodeStrict(

  290. 				"7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED"),

  291. 				'p', false);

  292. 		// Unclear: RFC 7748 says A = 486662. This value here is (A-2)/4 =

  293. 		// 121665. Compare ecc-curves.c in libgcrypt:

  294. 		// https://github.com/gpg/libgcrypt/blob/361a058/cipher/ecc-curves.c#L146

  295. 		hash(grip, new byte[] { 0x01, (byte) 0xDB, 0x41 }, 'a', false);

  296. 		hash(grip, new byte[] { 0x01 }, 'b', false);

  297. 		// libgcrypt uses the old g.y value before the erratum to RFC 7748 for

  298. 		// the keygrip. The new value would be

  299. 		// 5F51E65E475F794B1FE122D388B72EB36DC2B28192839E4DD6163A5D81312C14. See

  300. 		// https://www.rfc-editor.org/errata/eid4730 and

  301. 		// https://github.com/gpg/libgcrypt/commit/f67b6492e0b0

  302. 		hash(grip, Hex.decodeStrict("04"

  303. 				+ "0000000000000000000000000000000000000000000000000000000000000009"

  304. 				+ "20AE19A1B8A086B4E01EDD2C7748D14C923D4D7E6D7C61B229E9C5A27ECED3D9"),

  305. 				'g', false);

  306. 		hash(grip, Hex.decodeStrict(

  307. 				"1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED"),

  308. 				'n', false);

  309. 		hashQ25519(grip, q);

  310. 		return grip.digest();

  311. 	}

  312. 

  313. 	private static X9ECParameters getX9Parameters(

  314. 			ASN1ObjectIdentifier curveOID) {

  315. 		X9ECParameters params = CustomNamedCurves.getByOID(curveOID);

  316. 		if (params == null) {

  317. 			params = ECNamedCurveTable.getByOID(curveOID);

  318. 		}

  319. 		return params;

  320. 	}

  321. 

  322. }