PGPainless/cert-d-pgpainless
1
0
Fork 0
mirror of https://codeberg.org/PGPainless/cert-d-pgpainless.git synced 2025-12-05 04:41:09 +01:00
Code Issues Projects Releases Packages Wiki Activity

Bump PGPainless to 2.0.0, cert-d-java to 0.2.3

Browse source
This commit is contained in:
Paul Schaub 2025-09-29 14:32:07 +02:00
parent 7a0b79254d
commit 3cbd2a9317
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
11 changed files with 223 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

33
pgpainless-cert-d/src/main/java/org/pgpainless/certificate_store/CertificateFactory.java
View file

@ -4,8 +4,10 @@
package org.pgpainless.certificate_store;
import org.bouncycastle.bcpg.PacketFormat;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.api.OpenPGPCertificate;
import org.pgpainless.key.OpenPgpFingerprint;
import pgp.certificate_store.certificate.Certificate;
@ -13,9 +15,21 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
public class CertificateFactory {
/**
* Create a {@link Certificate} from the given {@link PGPPublicKeyRing} and tag.
*
* @param publicKeyRing PGPPublicKeyRing
* @param tag tag
* @return certificate
* @throws IOException if the certificate cannot be encoded
*
* @deprecated use {@link #certificateFromOpenPGPCertificate(OpenPGPCertificate, Long)} instead.
*/
@Deprecated
public static Certificate certificateFromPublicKeyRing(PGPPublicKeyRing publicKeyRing, Long tag)
throws IOException {
byte[] bytes = publicKeyRing.getEncoded();
@ -28,4 +42,23 @@ public class CertificateFactory {
return new Certificate(bytes, fingerprint, subkeyIds, tag);
}
/**
* Create a {@link Certificate} from the given {@link OpenPGPCertificate} and tag.
*
* @param openPGPCertificate OpenPGPCertificate
* @param tag tag
* @return certificate
* @throws IOException if the certificate cannot be encoded
*/
public static Certificate certificateFromOpenPGPCertificate(OpenPGPCertificate openPGPCertificate, Long tag)
throws IOException {
byte[] bytes = openPGPCertificate.getEncoded(PacketFormat.ROUNDTRIP);
String fingerprint = OpenPgpFingerprint.of(openPGPCertificate).getFingerprint().toLowerCase();
List<Long> subkeyIds = openPGPCertificate.getValidKeys()
.stream()
.map(it -> it.getKeyIdentifier().getKeyId())
.collect(Collectors.toList());
return new Certificate(bytes, fingerprint, subkeyIds, tag);
}
}

27
pgpainless-cert-d/src/main/java/org/pgpainless/certificate_store/KeyFactory.java
View file

@ -4,8 +4,10 @@
package org.pgpainless.certificate_store;
import org.bouncycastle.bcpg.PacketFormat;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.api.OpenPGPKey;
import org.pgpainless.PGPainless;
import pgp.certificate_store.certificate.Certificate;
import pgp.certificate_store.certificate.Key;
@ -14,10 +16,35 @@ import java.io.IOException;
public class KeyFactory {
/**
* Create a {@link Key} from the given {@link PGPSecretKeyRing} and tag.
*
* @param secretKeyRing PGPSecretKeyRing
* @param tag tag
* @return key
* @throws IOException if the key cannot be encoded
*
* @deprecated use {@link #keyFromOpenPGPKey(OpenPGPKey, Long)} instead.
*/
@Deprecated
public static Key keyFromSecretKeyRing(PGPSecretKeyRing secretKeyRing, Long tag) throws IOException {
byte[] bytes = secretKeyRing.getEncoded();
PGPPublicKeyRing publicKeyRing = PGPainless.extractCertificate(secretKeyRing);
Certificate certificate = CertificateFactory.certificateFromPublicKeyRing(publicKeyRing, tag);
return new Key(bytes, certificate, tag);
}
/**
* Create a {@link Key} from the given {@link OpenPGPKey} and tag.
*
* @param key OpenPGP key
* @param tag tag
* @return key
* @throws IOException if the key cannot be encoded
*/
public static Key keyFromOpenPGPKey(OpenPGPKey key, Long tag) throws IOException {
byte[] bytes = key.getEncoded(PacketFormat.ROUNDTRIP);
Certificate certificate = CertificateFactory.certificateFromOpenPGPCertificate(key.toCertificate(), tag);
return new Key(bytes, certificate, tag);
}
}

43
pgpainless-cert-d/src/main/java/org/pgpainless/certificate_store/KeyMaterialReader.java
View file

@ -4,14 +4,14 @@
package org.pgpainless.certificate_store;
import org.bouncycastle.openpgp.PGPKeyRing;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.api.OpenPGPCertificate;
import org.bouncycastle.openpgp.api.OpenPGPKey;
import org.pgpainless.PGPainless;
import pgp.certificate_store.certificate.KeyMaterial;
import pgp.certificate_store.certificate.KeyMaterialReaderBackend;
import pgp.certificate_store.exception.BadDataException;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
@ -19,28 +19,25 @@ public class KeyMaterialReader implements KeyMaterialReaderBackend {
@Override
public KeyMaterial read(InputStream data, Long tag) throws IOException, BadDataException {
PGPKeyRing keyMaterial;
OpenPGPCertificate keyOrCertificate;
try {
keyMaterial = PGPainless.readKeyRing().keyRing(data);
} catch (IOException e) {
String msg = e.getMessage();
if (msg == null) {
throw e;
}
if (msg.contains("unknown object in stream") ||
msg.contains("unexpected end of file in armored stream.") ||
msg.contains("invalid header encountered")) {
throw new BadDataException();
} else {
throw e;
}
}
if (keyMaterial instanceof PGPSecretKeyRing) {
return KeyFactory.keyFromSecretKeyRing((PGPSecretKeyRing) keyMaterial, tag);
} else if (keyMaterial instanceof PGPPublicKeyRing) {
return CertificateFactory.certificateFromPublicKeyRing((PGPPublicKeyRing) keyMaterial, tag);
} else {
keyOrCertificate = PGPainless.getInstance()
.readKey()
.parseCertificateOrKey(data);
} catch (EOFException e) {
// TODO: Pass 'e' once cert-d-java is bumped to 0.2.4
throw new BadDataException();
} catch (IOException e) {
if (e.getMessage().contains("Neither a certificate, nor secret key.")) {
throw new BadDataException();
}
throw e;
}
if (keyOrCertificate.isSecretKey()) {
return KeyFactory.keyFromOpenPGPKey((OpenPGPKey) keyOrCertificate, tag);
} else {
return CertificateFactory.certificateFromOpenPGPCertificate(keyOrCertificate, tag);
}
}
}

139
pgpainless-cert-d/src/main/java/org/pgpainless/certificate_store/MergeCallbacks.java
View file

@ -5,19 +5,21 @@
package org.pgpainless.certificate_store;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyRing;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.api.OpenPGPCertificate;
import org.bouncycastle.openpgp.api.OpenPGPKey;
import org.pgpainless.PGPainless;
import org.pgpainless.key.OpenPgpFingerprint;
import pgp.certificate_store.certificate.KeyMaterial;
import pgp.certificate_store.certificate.KeyMaterialMerger;
import pgp.certificate_store.exception.BadDataException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
public class MergeCallbacks {
@ -41,79 +43,95 @@ public class MergeCallbacks {
return data;
}
PGPainless api = PGPainless.getInstance();
OpenPGPCertificate existingCert = api.readKey().parseCertificateOrKey(existing.getInputStream());
OpenPGPCertificate updatedCert = api.readKey().parseCertificateOrKey(data.getInputStream());
OpenPGPCertificate mergedCert = mergeCertificates(updatedCert, existingCert);
printOutDifferences(existingCert, mergedCert);
return toKeyMaterial(mergedCert);
}
private OpenPGPCertificate mergeCertificates(OpenPGPCertificate updatedCertOrKey,
OpenPGPCertificate existingCertOrKey) {
if (!existingCertOrKey.getKeyIdentifier().matchesExplicit(updatedCertOrKey.getKeyIdentifier())) {
throw new IllegalArgumentException("Not the same OpenPGP key/certificate: Mismatched primary key.");
}
OpenPGPCertificate merged;
try {
PGPKeyRing existingKeyRing = PGPainless.readKeyRing().keyRing(existing.getInputStream());
PGPKeyRing updatedKeyRing = PGPainless.readKeyRing().keyRing(data.getInputStream());
if (existingCertOrKey.isSecretKey()) {
OpenPGPKey existingKey = (OpenPGPKey) existingCertOrKey;
PGPKeyRing mergedKeyRing;
if (updatedCertOrKey.isSecretKey()) {
// Merge key with key
OpenPGPKey updatedKey = (OpenPGPKey) updatedCertOrKey;
OpenPGPCertificate mergedCertPart = OpenPGPCertificate.join(
existingKey.toCertificate(),
updatedKey.toCertificate());
if (existingKeyRing instanceof PGPPublicKeyRing) {
mergedKeyRing = mergeWithCert((PGPPublicKeyRing) existingKeyRing, updatedKeyRing);
} else if (existingKeyRing instanceof PGPSecretKeyRing) {
mergedKeyRing = mergeWithKey(existingKeyRing, updatedKeyRing);
List<PGPSecretKey> mergedSecretKeys = new ArrayList<>();
Iterator<PGPSecretKey> existingKeysIterator = existingKey.getPGPSecretKeyRing().getSecretKeys();
while (existingKeysIterator.hasNext()) {
mergedSecretKeys.add(existingKeysIterator.next());
}
Iterator<PGPSecretKey> updatedKeysIterator = updatedKey.getPGPSecretKeyRing().getSecretKeys();
while (updatedKeysIterator.hasNext()) {
PGPSecretKey next = updatedKeysIterator.next();
if (existingKey.getPGPSecretKeyRing().getSecretKey(next.getKeyIdentifier()) == null) {
mergedSecretKeys.add(next);
}
}
PGPSecretKeyRing mergedSecretKeyRing = new PGPSecretKeyRing(mergedSecretKeys);
merged = new OpenPGPKey(
PGPSecretKeyRing.replacePublicKeys(
mergedSecretKeyRing,
mergedCertPart.getPGPPublicKeyRing()));
} else {
// Merge key with cert
OpenPGPCertificate mergedCertPart = OpenPGPCertificate.join(
existingKey.toCertificate(),
updatedCertOrKey);
merged = new OpenPGPKey(
PGPSecretKeyRing.replacePublicKeys(
existingKey.getPGPSecretKeyRing(),
mergedCertPart.getPGPPublicKeyRing()));
}
} else {
throw new IOException(new BadDataException());
if (updatedCertOrKey.isSecretKey()) {
// Swap update and existing cert
return mergeCertificates(existingCertOrKey, updatedCertOrKey);
}
// Merge cert with cert
return OpenPGPCertificate.join(existingCertOrKey, updatedCertOrKey);
}
printOutDifferences(existingKeyRing, mergedKeyRing);
return toKeyMaterial(mergedKeyRing);
return merged;
} catch (PGPException e) {
throw new RuntimeException(e);
}
}
private PGPKeyRing mergeWithCert(PGPPublicKeyRing existingKeyRing, PGPKeyRing updatedKeyRing)
throws PGPException, IOException {
PGPKeyRing mergedKeyRing;
PGPPublicKeyRing existingCert = existingKeyRing;
if (updatedKeyRing instanceof PGPPublicKeyRing) {
mergedKeyRing = PGPPublicKeyRing.join(existingCert, (PGPPublicKeyRing) updatedKeyRing);
} else if (updatedKeyRing instanceof PGPSecretKeyRing) {
PGPPublicKeyRing updatedPublicKeys = PGPainless.extractCertificate((PGPSecretKeyRing) updatedKeyRing);
PGPPublicKeyRing mergedPublicKeys = PGPPublicKeyRing.join(existingCert, updatedPublicKeys);
updatedKeyRing = PGPSecretKeyRing.replacePublicKeys((PGPSecretKeyRing) updatedKeyRing, mergedPublicKeys);
mergedKeyRing = updatedKeyRing;
} else {
throw new IOException(new BadDataException());
}
return mergedKeyRing;
}
private PGPKeyRing mergeWithKey(PGPKeyRing existingKeyRing, PGPKeyRing updatedKeyRing)
throws PGPException, IOException {
PGPKeyRing mergedKeyRing;
PGPSecretKeyRing existingKey = (PGPSecretKeyRing) existingKeyRing;
PGPPublicKeyRing existingCert = PGPainless.extractCertificate(existingKey);
if (updatedKeyRing instanceof PGPPublicKeyRing) {
PGPPublicKeyRing updatedCert = (PGPPublicKeyRing) updatedKeyRing;
PGPPublicKeyRing mergedCert = PGPPublicKeyRing.join(existingCert, updatedCert);
mergedKeyRing = PGPSecretKeyRing.replacePublicKeys(existingKey, mergedCert);
} else if (updatedKeyRing instanceof PGPSecretKeyRing) {
// Merging keys is not supported
mergedKeyRing = existingKeyRing;
} else {
throw new IOException(new BadDataException());
}
return mergedKeyRing;
}
private KeyMaterial toKeyMaterial(PGPKeyRing mergedKeyRing)
private KeyMaterial toKeyMaterial(OpenPGPCertificate mergedCertificate)
throws IOException {
if (mergedKeyRing instanceof PGPPublicKeyRing) {
return CertificateFactory.certificateFromPublicKeyRing((PGPPublicKeyRing) mergedKeyRing, null);
if (mergedCertificate.isSecretKey()) {
return KeyFactory.keyFromOpenPGPKey((OpenPGPKey) mergedCertificate, null);
} else {
return KeyFactory.keyFromSecretKeyRing((PGPSecretKeyRing) mergedKeyRing, null);
return CertificateFactory.certificateFromOpenPGPCertificate(mergedCertificate, null);
}
}
private void printOutDifferences(PGPKeyRing existingCert, PGPKeyRing mergedCert) throws IOException {
private void printOutDifferences(OpenPGPCertificate existingCert, OpenPGPCertificate mergedCert) throws IOException {
int numSigsBefore = countSigs(existingCert);
int numSigsAfter = countSigs(mergedCert);
int newSigs = numSigsAfter - numSigsBefore;
int numUidsBefore = count(existingCert.getPublicKey().getUserIDs());
int numUidsAfter = count(mergedCert.getPublicKey().getUserIDs());
int numUidsBefore = count(existingCert.getAllUserIds().iterator());
int numUidsAfter = count(mergedCert.getAllUserIds().iterator());
int newUids = numUidsAfter - numUidsBefore;
if (!Arrays.equals(existingCert.getEncoded(), mergedCert.getEncoded())) {
@ -140,11 +158,10 @@ public class MergeCallbacks {
}
}
private int countSigs(PGPKeyRing keys) {
private int countSigs(OpenPGPCertificate keys) {
int numSigs = 0;
Iterator<PGPPublicKey> iterator = keys.getPublicKeys();
while (iterator.hasNext()) {
PGPPublicKey key = iterator.next();
for (OpenPGPCertificate.OpenPGPComponentKey componentKey : keys.getKeys()) {
PGPPublicKey key = componentKey.getPGPPublicKey();
numSigs += count(key.getSignatures());
}
return numSigs;

41
pgpainless-cert-d/src/test/java/org/pgpainless/cert_d/SharedPGPCertificateDirectoryTest.java
View file

@ -14,8 +14,6 @@ import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
@ -24,14 +22,14 @@ import java.util.NoSuchElementException;
import java.util.Set;
import java.util.stream.Stream;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.api.OpenPGPCertificate;
import org.bouncycastle.openpgp.api.OpenPGPKey;
import org.bouncycastle.util.io.Streams;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.MethodSource;
import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.KeyFlag;
import org.pgpainless.algorithm.OpenPGPKeyVersion;
import org.pgpainless.certificate_store.PGPainlessCertD;
import org.pgpainless.key.OpenPgpFingerprint;
import org.pgpainless.key.generation.KeySpec;
@ -68,10 +66,11 @@ public class SharedPGPCertificateDirectoryTest {
@ParameterizedTest
@MethodSource("provideTestSubjects")
public void simpleInsertGet(PGPainlessCertD directory)
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException,
BadDataException, InterruptedException, BadNameException {
PGPSecretKeyRing key = PGPainless.generateKeyRing().modernKeyRing("Alice");
PGPPublicKeyRing cert = PGPainless.extractCertificate(key);
throws IOException, BadDataException, InterruptedException {
OpenPGPKey key = PGPainless.getInstance()
.generateKey(OpenPGPKeyVersion.v4)
.modernKeyRing("Alice");
OpenPGPCertificate cert = key.toCertificate();
OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(cert);
ByteArrayInputStream certIn = new ByteArrayInputStream(cert.getEncoded());
@ -90,13 +89,14 @@ public class SharedPGPCertificateDirectoryTest {
@ParameterizedTest
@MethodSource("provideTestSubjects")
public void simpleInsertGetBySpecialName(PGPainlessCertD directory)
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException,
BadDataException, InterruptedException, BadNameException {
PGPSecretKeyRing key = PGPainless.buildKeyRing()
throws IOException, BadDataException, InterruptedException, BadNameException {
OpenPGPKey key = PGPainless.getInstance()
.buildKey(OpenPGPKeyVersion.v4)
.addUserId("trust-root")
.setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA_LEGACY(EdDSALegacyCurve._Ed25519), KeyFlag.CERTIFY_OTHER))
.build();
PGPPublicKeyRing trustRoot = PGPainless.extractCertificate(key);
OpenPGPCertificate trustRoot = key.toCertificate();
OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(trustRoot);
ByteArrayInputStream certIn = new ByteArrayInputStream(trustRoot.getEncoded());
@ -115,20 +115,21 @@ public class SharedPGPCertificateDirectoryTest {
@ParameterizedTest
@MethodSource("provideTestSubjects")
public void testGetItemsAndFingerprints(PGPainlessCertD directory)
throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException,
BadDataException, InterruptedException, BadNameException {
throws IOException, BadDataException, InterruptedException, BadNameException {
PGPSecretKeyRing trustRootKey = PGPainless.generateKeyRing().modernKeyRing("Alice");
PGPPublicKeyRing trustRootCert = PGPainless.extractCertificate(trustRootKey);
OpenPGPKey trustRootKey = PGPainless.getInstance().generateKey(OpenPGPKeyVersion.v4)
.modernKeyRing("Alice");
OpenPGPCertificate trustRootCert = trustRootKey.toCertificate();
OpenPgpFingerprint trustRootFingerprint = OpenPgpFingerprint.of(trustRootCert);
ByteArrayInputStream trustRootCertIn = new ByteArrayInputStream(trustRootCert.getEncoded());
directory.insertWithSpecialName("trust-root", trustRootCertIn, dummyMerge);
final int certificateCount = 3;
Map<String, PGPPublicKeyRing> certificateMap = new HashMap<>();
Map<String, OpenPGPCertificate> certificateMap = new HashMap<>();
for (int i = 0; i < certificateCount; i++) {
PGPSecretKeyRing key = PGPainless.generateKeyRing().modernKeyRing("Alice");
PGPPublicKeyRing cert = PGPainless.extractCertificate(key);
OpenPGPKey key = PGPainless.getInstance().generateKey(OpenPGPKeyVersion.v4)
.modernKeyRing("Alice");
OpenPGPCertificate cert = key.toCertificate();
OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(cert);
certificateMap.put(fingerprint.toString().toLowerCase(), cert);

6
pgpainless-cert-d/src/test/java/org/pgpainless/certificate_store/KeyMaterialReaderTest.java
View file

@ -16,11 +16,11 @@ import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertInstanceOf;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertSame;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
public class KeyMaterialReaderTest {
@ -111,7 +111,7 @@ public class KeyMaterialReaderTest {
public void readKeyTest() throws BadDataException, IOException {
KeyMaterial keyMaterial = reader.read(new ByteArrayInputStream(KEY.getBytes(UTF8)), 12L);
assertNotNull(keyMaterial);
assertTrue(keyMaterial instanceof Key);
assertInstanceOf(Key.class, keyMaterial);
Key key = (Key) keyMaterial;
assertEquals("b21aabbf15df0fda37424de9ad008384ad0a064c", key.getFingerprint());
assertEquals(12L, key.getTag());
@ -125,7 +125,7 @@ public class KeyMaterialReaderTest {
public void readCertTest() throws BadDataException, IOException {
KeyMaterial keyMaterial = reader.read(new ByteArrayInputStream(CERT.getBytes(UTF8)), null);
assertNotNull(keyMaterial);
assertTrue(keyMaterial instanceof Certificate);
assertInstanceOf(Certificate.class, keyMaterial);
Certificate certificate = (Certificate) keyMaterial;
assertEquals("b21aabbf15df0fda37424de9ad008384ad0a064c", certificate.getFingerprint());
assertNull(certificate.getTag());