PGPainless/cert-d-pgpainless
1
0
Fork 0
mirror of https://codeberg.org/PGPainless/cert-d-pgpainless.git synced 2025-09-09 18:29:49 +02:00
Code Issues Projects Releases Packages Wiki Activity

Implement storing of trust-root key

Browse source
This commit is contained in:
Paul Schaub 2022-07-04 20:12:42 +02:00
parent fca9a8ef91
commit ee1fd669ed
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
13 changed files with 357 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

124
pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/MergeCallbacks.java Normal file
View file

@ -0,0 +1,124 @@
// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
package pgp.cert_d.cli;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.pgpainless.PGPainless;
import org.pgpainless.certificate_store.CertificateFactory;
import org.pgpainless.key.OpenPgpFingerprint;
import pgp.certificate_store.Certificate;
import pgp.certificate_store.CertificateMerger;
import pgp.certificate_store.Key;
import pgp.certificate_store.KeyMerger;
import java.io.IOException;
import java.util.Iterator;
public class MergeCallbacks {
/**
* Return a {@link CertificateMerger} that merges the two copies of the same certificate (same primary key) into one
* combined certificate.
*
* @return merging callback
*/
public static CertificateMerger mergeCertificates() {
return new CertificateMerger() {
@Override
public Certificate merge(Certificate data, Certificate existing) throws IOException {
try {
PGPPublicKeyRing existingCert = PGPainless.readKeyRing().publicKeyRing(existing.getInputStream());
PGPPublicKeyRing updatedCert = PGPainless.readKeyRing().publicKeyRing(data.getInputStream());
PGPPublicKeyRing mergedCert = PGPPublicKeyRing.join(existingCert, updatedCert);
printOutDifferences(existingCert, mergedCert);
return CertificateFactory.certificateFromPublicKeyRing(mergedCert);
} catch (PGPException e) {
throw new RuntimeException(e);
}
}
private void printOutDifferences(PGPPublicKeyRing existingCert, PGPPublicKeyRing mergedCert) {
int numSigsBefore = countSigs(existingCert);
int numSigsAfter = countSigs(mergedCert);
int newSigs = numSigsAfter - numSigsBefore;
int numUidsBefore = count(existingCert.getPublicKey().getUserIDs());
int numUidsAfter = count(mergedCert.getPublicKey().getUserIDs());
int newUids = numUidsAfter - numUidsBefore;
if (!existingCert.equals(mergedCert)) {
OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(mergedCert);
StringBuilder sb = new StringBuilder();
sb.append(String.format("Certificate %s has", fingerprint));
if (newSigs != 0) {
sb.append(String.format(" %d new signatures", newSigs));
}
if (newUids != 0) {
if (newSigs != 0) {
sb.append(" and");
}
sb.append(String.format(" %d new UIDs", newUids));
}
if (newSigs == 0 && newUids == 0) {
sb.append(" changed");
}
// In this case it is okay to print to stdout, since we are a CLI app
// CHECKSTYLE:OFF
System.out.println(sb);
// CHECKSTYLE:ON
}
}
private int countSigs(PGPPublicKeyRing keys) {
int numSigs = 0;
for (PGPPublicKey key : keys) {
numSigs += count(key.getSignatures());
}
return numSigs;
}
// TODO: Use CollectionUtils.count() once available
private int count(Iterator<?> iterator) {
int num = 0;
while (iterator.hasNext()) {
iterator.next();
num++;
}
return num;
}
};
}
/**
* Return an implementation of {@link CertificateMerger} that ignores the existing certificate and instead
* returns the first instance.
*
* @return overriding callback
*/
public static CertificateMerger overrideCertificate() {
// noinspection Convert2Lambda
return new CertificateMerger() {
@Override
public Certificate merge(Certificate data, Certificate existing) {
return data;
}
};
}
public static KeyMerger overrideKey() {
// noinspection Convert2Lambda
return new KeyMerger() {
@Override
public Key merge(Key data, Key existing) {
return data;
}
};
}
}

11
pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/PGPCertDCli.java
View file

@ -5,6 +5,7 @@
package pgp.cert_d.cli;
import org.pgpainless.certificate_store.CertificateReader;
import org.pgpainless.certificate_store.KeyReader;
import org.pgpainless.certificate_store.SharedPGPCertificateDirectoryAdapter;
import pgp.cert_d.BaseDirectoryProvider;
import pgp.cert_d.SharedPGPCertificateDirectoryImpl;
@ -12,6 +13,7 @@ import pgp.cert_d.cli.commands.Export;
import pgp.cert_d.cli.commands.Get;
import pgp.cert_d.cli.commands.Insert;
import pgp.cert_d.cli.commands.Import;
import pgp.cert_d.cli.commands.Setup;
import pgp.cert_d.jdbc.sqlite.DatabaseSubkeyLookup;
import pgp.cert_d.jdbc.sqlite.SqliteSubkeyLookupDaoImpl;
import pgp.certificate_store.SubkeyLookup;
@ -26,15 +28,19 @@ import java.sql.SQLException;
name = "certificate-store",
description = "Store and manage public OpenPGP certificates",
subcommands = {
CommandLine.HelpCommand.class,
Export.class,
Insert.class,
Import.class,
Get.class,
Setup.class
}
)
public class PGPCertDCli {
@CommandLine.Option(names = "--base-directory", paramLabel = "DIRECTORY", description = "Overwrite the default certificate directory")
@CommandLine.Option(names = {"-s", "--store"}, paramLabel = "DIRECTORY",
description = "Overwrite the default certificate directory path",
scope = CommandLine.ScopeType.INHERIT)
File baseDirectory;
private static CertificateDirectory certificateDirectory;
@ -57,7 +63,8 @@ public class PGPCertDCli {
certificateDirectory = new SharedPGPCertificateDirectoryImpl(
baseDirectory,
new CertificateReader());
new CertificateReader(),
new KeyReader());
subkeyLookup = new DatabaseSubkeyLookup(
SqliteSubkeyLookupDaoImpl.forDatabaseFile(new File(baseDirectory, "_pgpainless_subkey_map.db")));

85
pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/commands/DefaultMergeCallback.java
View file

@ -1,85 +0,0 @@
// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
package pgp.cert_d.cli.commands;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.pgpainless.PGPainless;
import org.pgpainless.certificate_store.CertificateFactory;
import org.pgpainless.key.OpenPgpFingerprint;
import pgp.certificate_store.Certificate;
import pgp.certificate_store.MergeCallback;
import java.io.IOException;
import java.util.Iterator;
public class DefaultMergeCallback implements MergeCallback {
@Override
public Certificate merge(Certificate data, Certificate existing) throws IOException {
try {
PGPPublicKeyRing existingCert = PGPainless.readKeyRing().publicKeyRing(existing.getInputStream());
PGPPublicKeyRing updatedCert = PGPainless.readKeyRing().publicKeyRing(data.getInputStream());
PGPPublicKeyRing mergedCert = PGPPublicKeyRing.join(existingCert, updatedCert);
printOutDifferences(existingCert, mergedCert);
return CertificateFactory.certificateFromPublicKeyRing(mergedCert);
} catch (PGPException e) {
throw new RuntimeException(e);
}
}
private void printOutDifferences(PGPPublicKeyRing existingCert, PGPPublicKeyRing mergedCert) {
int numSigsBefore = countSigs(existingCert);
int numSigsAfter = countSigs(mergedCert);
int newSigs = numSigsAfter - numSigsBefore;
int numUidsBefore = count(existingCert.getPublicKey().getUserIDs());
int numUidsAfter = count(mergedCert.getPublicKey().getUserIDs());
int newUids = numUidsAfter - numUidsBefore;
if (!existingCert.equals(mergedCert)) {
OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(mergedCert);
StringBuilder sb = new StringBuilder();
sb.append(String.format("Certificate %s has", fingerprint));
if (newSigs != 0) {
sb.append(String.format(" %d new signatures", newSigs));
}
if (newUids != 0) {
if (newSigs != 0) {
sb.append(" and");
}
sb.append(String.format(" %d new UIDs", newUids));
}
if (newSigs == 0 && newUids == 0) {
sb.append(" changed");
}
// In this case it is okay to print to stdout, since we are a CLI app
// CHECKSTYLE:OFF
System.out.println(sb);
// CHECKSTYLE:ON
}
}
private static int countSigs(PGPPublicKeyRing keys) {
int numSigs = 0;
for (PGPPublicKey key : keys) {
numSigs += count(key.getSignatures());
}
return numSigs;
}
// TODO: Use CollectionUtils.count() once available
private static int count(Iterator<?> iterator) {
int num = 0;
while (iterator.hasNext()) {
iterator.next();
num++;
}
return num;
}
}

5
pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/commands/Import.java
View file

@ -10,9 +10,9 @@ import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
import org.pgpainless.PGPainless;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pgp.cert_d.cli.MergeCallbacks;
import pgp.cert_d.cli.PGPCertDCli;
import pgp.certificate_store.Certificate;
import pgp.certificate_store.MergeCallback;
import pgp.certificate_store.exception.BadDataException;
import picocli.CommandLine;
@ -24,7 +24,6 @@ import java.io.IOException;
public class Import implements Runnable {
private static final Logger LOGGER = LoggerFactory.getLogger(Import.class);
private final MergeCallback mergeCallback = new DefaultMergeCallback();
@Override
public void run() {
@ -33,7 +32,7 @@ public class Import implements Runnable {
for (PGPPublicKeyRing cert : certificates) {
ByteArrayInputStream certIn = new ByteArrayInputStream(cert.getEncoded());
Certificate certificate = PGPCertDCli.getCertificateDirectory()
.insertCertificate(certIn, mergeCallback);
.insertCertificate(certIn, MergeCallbacks.mergeCertificates());
}
} catch (IOException e) {
LOGGER.error("IO-Error.", e);

6
pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/commands/Insert.java
View file

@ -6,9 +6,9 @@ package pgp.cert_d.cli.commands;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pgp.cert_d.cli.MergeCallbacks;
import pgp.cert_d.cli.PGPCertDCli;
import pgp.certificate_store.Certificate;
import pgp.certificate_store.MergeCallback;
import pgp.certificate_store.exception.BadDataException;
import picocli.CommandLine;
@ -19,12 +19,12 @@ import java.io.IOException;
public class Insert implements Runnable {
private static final Logger LOGGER = LoggerFactory.getLogger(Insert.class);
private final MergeCallback mergeCallback = new DefaultMergeCallback();
@Override
public void run() {
try {
Certificate certificate = PGPCertDCli.getCertificateDirectory().insertCertificate(System.in, mergeCallback);
Certificate certificate = PGPCertDCli.getCertificateDirectory()
.insertCertificate(System.in, MergeCallbacks.mergeCertificates());
} catch (IOException e) {
LOGGER.error("IO-Error.", e);
System.exit(-1);

107
pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/commands/Setup.java Normal file
View file

@ -0,0 +1,107 @@
// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
package pgp.cert_d.cli.commands;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.KeyFlag;
import org.pgpainless.key.generation.KeyRingBuilder;
import org.pgpainless.key.generation.KeySpec;
import org.pgpainless.key.generation.type.KeyType;
import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
import org.pgpainless.util.Passphrase;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pgp.cert_d.cli.MergeCallbacks;
import pgp.cert_d.cli.PGPCertDCli;
import pgp.certificate_store.exception.BadDataException;
import picocli.CommandLine;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
@CommandLine.Command(name = "setup",
description = "Setup a new certificate directory")
public class Setup implements Runnable {
public static final Logger LOGGER = LoggerFactory.getLogger(Setup.class);
@CommandLine.ArgGroup()
Exclusive exclusive;
static class Exclusive {
@CommandLine.Option(names = "--with-password",
paramLabel = "PASSWORD",
description = "Ask for a password for the trust-root key")
String password;
@CommandLine.Option(names = "--import-from-stdin",
description = "Import trust-root from stdin")
boolean importFromStdin;
}
@Override
public void run() {
PGPSecretKeyRing trustRoot;
if (exclusive == null) {
trustRoot = generateTrustRoot(Passphrase.emptyPassphrase());
} else {
if (exclusive.importFromStdin) {
trustRoot = readTrustRoot(System.in);
} else {
trustRoot = generateTrustRoot(Passphrase.fromPassword(exclusive.password.trim()));
}
}
try {
InputStream inputStream = new ByteArrayInputStream(trustRoot.getEncoded());
PGPCertDCli.getCertificateDirectory().insertTrustRoot(inputStream, MergeCallbacks.overrideKey());
} catch (BadDataException e) {
throw new RuntimeException(e);
} catch (IOException e) {
LOGGER.error("IO error.", e);
System.exit(-1);
} catch (InterruptedException e) {
LOGGER.error("Thread interrupted.", e);
System.exit(-1);
}
}
private PGPSecretKeyRing generateTrustRoot(Passphrase passphrase) {
PGPSecretKeyRing trustRoot;
KeyRingBuilder builder = PGPainless.buildKeyRing()
.addUserId("trust-root");
if (passphrase != null) {
builder.setPassphrase(passphrase);
}
builder.setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER));
try {
trustRoot = builder.build();
} catch (NoSuchAlgorithmException | PGPException | InvalidAlgorithmParameterException e) {
throw new RuntimeException("Cannot generate trust-root OpenPGP key", e);
}
return trustRoot;
}
private PGPSecretKeyRing readTrustRoot(InputStream inputStream) {
try {
PGPSecretKeyRing secretKeys = PGPainless.readKeyRing().secretKeyRing(inputStream);
if (secretKeys == null) {
throw new BadDataException();
}
return secretKeys;
} catch (IOException e) {
throw new RuntimeException("Cannot read trust-root OpenPGP key", e);
} catch (BadDataException e) {
throw new RuntimeException("trust-root does not contain OpenPGP key", e);
}
}
}