Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-12 16:35:45 +01:00
Code Issues Packages Projects Releases Activity

show signature key on changeset

Browse Source
This commit is contained in:
Eduard Heimbuch
2020-07-28 17:52:20 +02:00
parent 0c45cf21e3
commit b22ead23de
37 changed files with 806 additions and 385 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
scm-webapp/src/main/java/sonia/scm/security/gpg/DefaultGPG.java
View File

@@ -24,7 +24,10 @@
package sonia.scm.security.gpg;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.bcpg.ArmoredInputStream;
import org.bouncycastle.openpgp.PGPObjectFactory;
import org.bouncycastle.openpgp.PGPSignatureList;
import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.security.GPG;
@@ -32,6 +35,7 @@ import sonia.scm.security.PrivateKey;
import sonia.scm.security.PublicKey;
import javax.inject.Inject;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.Collections;
import java.util.List;
@@ -51,8 +55,11 @@ public class DefaultGPG implements GPG {
@Override
public String findPublicKeyId(byte[] signature) {
try {
return Keys.resolveIdFromKey(new String(signature));
} catch (PGPException | IOException e) {
ArmoredInputStream armoredInputStream = new ArmoredInputStream(new ByteArrayInputStream(signature));
PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(armoredInputStream, new JcaKeyFingerprintCalculator());
PGPSignatureList signatures = (PGPSignatureList) pgpObjectFactory.nextObject();
return "0x" + Long.toHexString(signatures.get(0).getKeyID()).toUpperCase();
} catch (IOException e) {
LOG.error("Could not find public key id in signature");
}
return "";
@@ -61,7 +68,8 @@ public class DefaultGPG implements GPG {
@Override
public Optional<PublicKey> findPublicKey(String id) {
Optional<RawGpgKey> key = store.findById(id);
return key.map(rawGpgKey -> new GpgKey(id, rawGpgKey.getOwner()));
return key.map(rawGpgKey -> new GpgKey(id, rawGpgKey.getOwner(), rawGpgKey.getRaw().getBytes()));
}
@Override
@@ -71,7 +79,7 @@ public class DefaultGPG implements GPG {
if (!keys.isEmpty()) {
return keys
.stream()
.map(rawGpgKey -> new GpgKey(rawGpgKey.getId(), rawGpgKey.getOwner()))
.map(rawGpgKey -> new GpgKey(rawGpgKey.getId(), rawGpgKey.getOwner(), rawGpgKey.getRaw().getBytes()))
.collect(Collectors.toSet());
}

25
scm-webapp/src/main/java/sonia/scm/security/gpg/GpgKey.java
View File

@@ -43,7 +43,9 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.util.LinkedHashSet;
import java.util.Optional;
import java.util.Set;
public class GpgKey implements PublicKey {
@@ -51,10 +53,16 @@ public class GpgKey implements PublicKey {
private final String id;
private final String owner;
private final Set<String> contacts = new LinkedHashSet<>();
public GpgKey(String id, String owner) {
public GpgKey(String id, String owner, byte[] raw) {
this.id = id;
this.owner = owner;
try {
getPgpPublicKey(raw).getUserIDs().forEachRemaining(contacts::add);
} catch (IOException e) {
LOG.error("Could not find contacts in public key", e);
}
}
@Override
@@ -70,13 +78,16 @@ public class GpgKey implements PublicKey {
return Optional.of(owner);
}
@Override
public Set<String> getContacts() {
return contacts;
}
@Override
public boolean verify(InputStream stream, byte[] signature) {
boolean verified = false;
try {
ArmoredInputStream armoredInputStream = new ArmoredInputStream(new ByteArrayInputStream(signature));
PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(armoredInputStream, new JcaKeyFingerprintCalculator());
PGPPublicKey publicKey = ((PGPPublicKeyRing) pgpObjectFactory.nextObject()).getPublicKey();
PGPPublicKey publicKey = getPgpPublicKey(signature);
PGPSignature pgpSignature = ((PGPSignature) publicKey.getSignatures().next());
PGPContentVerifierBuilderProvider provider = new JcaPGPContentVerifierBuilderProvider();
@@ -97,6 +108,12 @@ public class GpgKey implements PublicKey {
}
return verified;
}
private PGPPublicKey getPgpPublicKey(byte[] signature) throws IOException {
ArmoredInputStream armoredInputStream = new ArmoredInputStream(new ByteArrayInputStream(signature));
PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(armoredInputStream, new JcaKeyFingerprintCalculator());
return ((PGPPublicKeyRing) pgpObjectFactory.nextObject()).getPublicKey();
}
}

71
scm-webapp/src/main/java/sonia/scm/security/gpg/Keys.java
View File

@@ -24,6 +24,7 @@
package sonia.scm.security.gpg;
import lombok.Value;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
@@ -37,45 +38,71 @@ import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.stream.Collectors;
import java.util.Set;
import java.util.function.Function;
@Value
final class Keys {
private static final KeyFingerPrintCalculator calculator = new JcaKeyFingerprintCalculator();
private Keys() {}
private final String master;
private final Set<String> subs;
static String resolveIdFromKey(String rawKey) throws IOException, PGPException {
List<PGPPublicKey> keys = collectKeys(rawKey);
if (keys.size() > 1) {
keys = keys.stream().filter(PGPPublicKey::isMasterKey).collect(Collectors.toList());
}
if (keys.isEmpty()) {
throw new IllegalArgumentException("found multiple keys, but no master keys");
}
if (keys.size() > 1) {
throw new IllegalArgumentException("found multiple master keys");
private Keys(String master, Set<String> subs) {
this.master = master;
this.subs = subs;
}
static Keys resolve(String raw) {
return resolve(raw, Keys::collectKeys);
}
static Keys resolve(String raw, Function<String, List<PGPPublicKey>> parser) {
List<PGPPublicKey> parsedKeys = parser.apply(raw);
String master = null;
Set<String> subs = new HashSet<>();
for (PGPPublicKey key : parsedKeys) {
if (key.isMasterKey()) {
if (master != null) {
throw new IllegalArgumentException("Found more than one master key");
}
master = createId(key);
} else {
subs.add(createId(key));
}
}
PGPPublicKey pgpPublicKey = keys.get(0);
return createId(pgpPublicKey);
if (master == null) {
throw new IllegalArgumentException("No master key found");
}
return new Keys(master, Collections.unmodifiableSet(subs));
}
private static String createId(PGPPublicKey pgpPublicKey) {
return "0x" + Long.toHexString(pgpPublicKey.getKeyID()).toUpperCase(Locale.ENGLISH);
}
private static List<PGPPublicKey> collectKeys(String rawKey) throws IOException, PGPException {
List<PGPPublicKey> publicKeys = new ArrayList<>();
InputStream decoderStream = PGPUtil.getDecoderStream(new ByteArrayInputStream(rawKey.getBytes(StandardCharsets.UTF_8)));
PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection(decoderStream, calculator);
for (PGPPublicKeyRing pgpPublicKeys : collection) {
for (PGPPublicKey pgpPublicKey : pgpPublicKeys) {
publicKeys.add(pgpPublicKey);
private static List<PGPPublicKey> collectKeys(String rawKey) {
try {
List<PGPPublicKey> publicKeys = new ArrayList<>();
InputStream decoderStream = PGPUtil.getDecoderStream(new ByteArrayInputStream(rawKey.getBytes(StandardCharsets.UTF_8)));
PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection(decoderStream, calculator);
for (PGPPublicKeyRing pgpPublicKeys : collection) {
for (PGPPublicKey pgpPublicKey : pgpPublicKeys) {
publicKeys.add(pgpPublicKey);
}
}
return publicKeys;
} catch (IOException | PGPException ex) {
throw new GPGException("Failed to collect public keys", ex);
}
return publicKeys;
}
}

42
scm-webapp/src/main/java/sonia/scm/security/gpg/MasterKeyReference.java Normal file
View File

@@ -0,0 +1,42 @@
/*
* MIT License
*
* Copyright (c) 2020-present Cloudogu GmbH and Contributors
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
package sonia.scm.security.gpg;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NoArgsConstructor;
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
@Getter
@NoArgsConstructor
@AllArgsConstructor
@XmlAccessorType(XmlAccessType.FIELD)
@XmlRootElement
public class MasterKeyReference {
String masterKey;
}

39
scm-webapp/src/main/java/sonia/scm/security/gpg/PublicKeyStore.java
View File

@@ -24,16 +24,16 @@
package sonia.scm.security.gpg;
import org.bouncycastle.openpgp.PGPException;
import sonia.scm.ContextEntry;
import sonia.scm.event.ScmEventBus;
import sonia.scm.security.NotPublicKeyException;
import sonia.scm.security.PublicKeyDeletedEvent;
import sonia.scm.store.DataStore;
import sonia.scm.store.DataStoreFactory;
import sonia.scm.user.UserPermissions;
import javax.inject.Inject;
import javax.inject.Singleton;
import java.io.IOException;
import java.time.Instant;
import java.util.List;
import java.util.Optional;
@@ -43,31 +43,39 @@ import java.util.stream.Collectors;
public class PublicKeyStore {
private static final String STORE_NAME = "gpg_public_keys";
private static final String SUBKEY_STORE_NAME = "gpg_public_sub_keys";
private final DataStore<RawGpgKey> store;
private final DataStore<MasterKeyReference> subKeyStore;
private final ScmEventBus eventBus;
@Inject
public PublicKeyStore(DataStoreFactory dataStoreFactory) {
public PublicKeyStore(DataStoreFactory dataStoreFactory, ScmEventBus eventBus) {
this.store = dataStoreFactory.withType(RawGpgKey.class).withName(STORE_NAME).build();
this.subKeyStore = dataStoreFactory.withType(MasterKeyReference.class).withName(SUBKEY_STORE_NAME).build();
this.eventBus = eventBus;
}
public RawGpgKey add(String displayName, String username, String rawKey) {
UserPermissions.modify(username).check();
UserPermissions.changePublicKeys(username).check();
if (!rawKey.contains("PUBLIC KEY")) {
throw new NotPublicKeyException(ContextEntry.ContextBuilder.entity(RawGpgKey.class, displayName).build(), "The provided key is not a public key");
}
try {
String id = Keys.resolveIdFromKey(rawKey);
RawGpgKey key = new RawGpgKey(id, displayName, username, rawKey, Instant.now());
Keys keys = Keys.resolve(rawKey);
String master = keys.getMaster();
store.put(id, key);
return key;
} catch (IOException | PGPException e) {
throw new GPGException("failed to resolve id from gpg key");
for (String subKey : keys.getSubs()) {
subKeyStore.put(subKey, new MasterKeyReference(master));
}
RawGpgKey key = new RawGpgKey(master, displayName, username, rawKey, Instant.now());
store.put(master, key);
return key;
}
public void delete(String id) {
@@ -75,10 +83,17 @@ public class PublicKeyStore {
if (rawGpgKey != null) {
UserPermissions.modify(rawGpgKey.getOwner()).check();
store.remove(id);
eventBus.post(new PublicKeyDeletedEvent());
}
}
public Optional<RawGpgKey> findById(String id) {
Optional<MasterKeyReference> reference = subKeyStore.getOptional(id);
if (reference.isPresent()) {
return store.getOptional(reference.get().getMasterKey());
}
return store.getOptional(id);
}