Add OpenPGPCertificateUtil and unify the way, SOP encodes/armors certificates/keys

2025-09-10 18:59:39 +02:00 · 2025-05-14 13:27:06 +02:00 · 2025-05-14 13:27:06 +02:00 · 92d66f7f30
commit 92d66f7f30
parent b8841a4415
10 changed files with 260 additions and 105 deletions
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/bouncycastle/extensions/OpenPGPCertificateExtensions.kt
@ -4,6 +4,9 @@

 package org.pgpainless.bouncycastle.extensions

+import java.io.OutputStream
+import org.bouncycastle.bcpg.ArmoredOutputStream
+import org.bouncycastle.bcpg.PacketFormat
 import org.bouncycastle.openpgp.PGPOnePassSignature
 import org.bouncycastle.openpgp.api.OpenPGPCertificate
 import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey
@ -22,3 +25,38 @@ fun OpenPGPCertificate.getKeyVersion(): OpenPGPKeyVersion = primaryKey.getKeyVer

 /** Return the [OpenPGPKeyVersion] of the component key. */
 fun OpenPGPComponentKey.getKeyVersion(): OpenPGPKeyVersion = OpenPGPKeyVersion.from(this.version)
+
+/**
+ * ASCII-armor-encode the certificate into the given [OutputStream].
+ *
+ * @param outputStream output stream
+ * @param format packet length encoding format, defaults to [PacketFormat.ROUNDTRIP]
+ */
+fun OpenPGPCertificate.asciiArmor(
+    outputStream: OutputStream,
+    format: PacketFormat = PacketFormat.ROUNDTRIP
+) {
+    outputStream.write(toAsciiArmoredString(format).encodeToByteArray())
+}
+
+/**
+ * ASCII-armor-encode the certificate into the given [OutputStream].
+ *
+ * @param outputStream output stream
+ * @param format packet length encoding format, defaults to [PacketFormat.ROUNDTRIP]
+ * @param armorBuilder builder for the ASCII armored output stream
+ */
+fun OpenPGPCertificate.asciiArmor(
+    outputStream: OutputStream,
+    format: PacketFormat,
+    armorBuilder: ArmoredOutputStream.Builder
+) {
+    outputStream.write(toAsciiArmoredString(format, armorBuilder).encodeToByteArray())
+}
+
+fun OpenPGPCertificate.encode(
+    outputStream: OutputStream,
+    format: PacketFormat = PacketFormat.ROUNDTRIP
+) {
+    outputStream.write(getEncoded(format))
+}
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/util/OpenPGPCertificateUtil.kt
@ -1,4 +1,49 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.util

-class OpenPGPCertificateUtil {
+import java.io.OutputStream
+import org.bouncycastle.bcpg.ArmoredOutputStream
+import org.bouncycastle.bcpg.PacketFormat
+import org.bouncycastle.openpgp.api.OpenPGPCertificate
+import org.pgpainless.bouncycastle.extensions.asciiArmor
+import org.pgpainless.bouncycastle.extensions.encode
+
+class OpenPGPCertificateUtil private constructor() {
+
+    companion object {
+        @JvmStatic
+        @JvmOverloads
+        fun encode(
+            certs: Collection<OpenPGPCertificate>,
+            outputStream: OutputStream,
+            packetFormat: PacketFormat = PacketFormat.ROUNDTRIP
+        ) {
+            for (cert in certs) {
+                cert.encode(outputStream, packetFormat)
+            }
+        }
+
+        @JvmStatic
+        @JvmOverloads
+        fun armor(
+            certs: Collection<OpenPGPCertificate>,
+            outputStream: OutputStream,
+            packetFormat: PacketFormat = PacketFormat.ROUNDTRIP
+        ) {
+            if (certs.size == 1) {
+                // Add pretty armor header to single cert/key
+                certs.iterator().next().asciiArmor(outputStream, packetFormat)
+            } else {
+                // Do not add a pretty header
+                val aOut = ArmoredOutputStream(outputStream)
+                for (cert in certs) {
+                    cert.encode(aOut, packetFormat)
+                }
+                aOut.close()
+            }
+        }
+    }
 }
--- a/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java
+++ b/pgpainless-core/src/test/java/org/pgpainless/util/OpenPGPCertificateUtilTest.java
@ -1,4 +1,118 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.util;

+import org.bouncycastle.bcpg.PacketFormat;
+import org.bouncycastle.openpgp.api.OpenPGPCertificate;
+import org.junit.jupiter.api.TestTemplate;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.pgpainless.PGPainless;
+
+import java.io.ByteArrayOutputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
 public class OpenPGPCertificateUtilTest {
+
+    @TestTemplate
+    @ExtendWith(TestAllImplementations.class)
+    public void testEncodeSingleCert() {
+        PGPainless api = PGPainless.getInstance();
+
+        List<OpenPGPCertificate> certs = new ArrayList<>();
+        certs.add(api.generateKey().modernKeyRing("Alice <alice@pgpainless.org>").toCertificate());
+
+        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
+        OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT);
+        String armor = bOut.toString();
+
+        assertTrue(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\nComment: "),
+                "For a single cert, the ASCII armor MUST contain a comment with the fingerprint");
+    }
+
+    @TestTemplate
+    @ExtendWith(TestAllImplementations.class)
+    public void testEncodeSingleKey() {
+        PGPainless api = PGPainless.getInstance();
+
+        List<OpenPGPCertificate> certs = new ArrayList<>();
+        certs.add(api.generateKey().modernKeyRing("Alice <alice@pgpainless.org>"));
+
+        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
+        OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT);
+        String armor = bOut.toString();
+
+        assertTrue(armor.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\nComment: "),
+                "For a single key, the ASCII armor MUST contain a comment with the fingerprint");
+    }
+
+    @TestTemplate
+    @ExtendWith(TestAllImplementations.class)
+    public void testEncodeTwoCerts() {
+        PGPainless api = PGPainless.getInstance();
+
+        List<OpenPGPCertificate> certs = new ArrayList<>();
+        certs.add(api.generateKey().modernKeyRing("Alice <alice@pgpainless.org>").toCertificate());
+        certs.add(api.generateKey().modernKeyRing("Bob <bob@pgpainless.org>").toCertificate());
+
+        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
+        OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT);
+        String armor = bOut.toString();
+
+        assertTrue(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----"));
+        assertEquals(
+                armor.indexOf("-----BEGIN PGP PUBLIC KEY BLOCK-----"),
+                armor.lastIndexOf("-----BEGIN PGP PUBLIC KEY BLOCK-----"),
+                "There MUST only be a single block in the armor.");
+        assertFalse(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\nComment: "),
+                "For multiple certs, the ASCII armor MUST NOT contain a comment containing the fingerprint");
+    }
+
+    @TestTemplate
+    @ExtendWith(TestAllImplementations.class)
+    public void testEncodeCertAndKey() {
+        PGPainless api = PGPainless.getInstance();
+
+        List<OpenPGPCertificate> certs = new ArrayList<>();
+        certs.add(api.generateKey().modernKeyRing("Alice <alice@pgpainless.org>").toCertificate());
+        certs.add(api.generateKey().modernKeyRing("Bob <bob@pgpainless.org>"));
+
+        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
+        OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT);
+        String armor = bOut.toString();
+
+        assertTrue(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----"));
+        assertEquals(
+                armor.indexOf("-----BEGIN PGP PUBLIC KEY BLOCK-----"),
+                armor.lastIndexOf("-----BEGIN PGP PUBLIC KEY BLOCK-----"));
+        assertFalse(armor.startsWith("-----BEGIN PGP PUBLIC KEY BLOCK-----\nComment: "),
+                "For multiple certs/keys, the ASCII armor MUST NOT contain a comment containing the fingerprint");
+    }
+
+    @TestTemplate
+    @ExtendWith(TestAllImplementations.class)
+    public void testEncodeKeyAndCert() {
+        PGPainless api = PGPainless.getInstance();
+
+        List<OpenPGPCertificate> certs = new ArrayList<>();
+        certs.add(api.generateKey().modernKeyRing("Alice <alice@pgpainless.org>"));
+        certs.add(api.generateKey().modernKeyRing("Bob <bob@pgpainless.org>").toCertificate());
+
+        ByteArrayOutputStream bOut = new ByteArrayOutputStream();
+        OpenPGPCertificateUtil.armor(certs, bOut, PacketFormat.CURRENT);
+        String armor = bOut.toString();
+
+        assertTrue(armor.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----"));
+        assertEquals(
+                armor.indexOf("-----BEGIN PGP PRIVATE KEY BLOCK-----"),
+                armor.lastIndexOf("-----BEGIN PGP PRIVATE KEY BLOCK-----"));
+        assertFalse(armor.startsWith("-----BEGIN PGP PRIVATE KEY BLOCK-----\nComment: "),
+                "For multiple certs, the ASCII armor MUST NOT contain a comment containing the fingerprint");
+    }
 }