Initial commit

.gitignore

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2021 Paul Schaub <info@pgpainless.org>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+.idea
+.gradle
+
+out/
+build/
+bin/
+libs/
+
+*.iws
+*.iml
+*.ipr
+*.class
+*.log
+*.jar
+
+gradle.properties
+!gradle-wrapper.jar
+
+.classpath
+.project
+.settings/
+
+pgpainless-core/.classpath
+pgpainless-core/.project
+pgpainless-core/.settings/
+
+push_html.sh

build.gradle

@@ -0,0 +1,246 @@
+// SPDX-FileCopyrightText: 2021 Paul Schaub <info@pgpainless.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+buildscript {
+
+    repositories {
+
+        maven {
+            url "https://plugins.gradle.org/m2/"
+        }
+        mavenLocal()
+        mavenCentral()
+    }
+    dependencies {
+        classpath "gradle.plugin.org.kt3k.gradle.plugin:coveralls-gradle-plugin:2.12.0"
+    }
+}
+
+plugins {
+    id 'ru.vyarus.animalsniffer' version '1.5.3'
+}
+
+apply from: 'version.gradle'
+
+allprojects {
+    apply plugin: 'java'
+    apply plugin: 'idea'
+    apply plugin: 'eclipse'
+    apply plugin: 'jacoco'
+    apply plugin: 'checkstyle'
+
+    // Only generate jar for submodules
+    // without this we would generate an empty .jar for the project root
+    // https://stackoverflow.com/a/25445035
+    jar {
+        onlyIf { !sourceSets.main.allSource.files.isEmpty() }
+    }
+
+    // checkstyle
+    checkstyle {
+        toolVersion = '8.18'
+    }
+
+    group 'org.pgpainless'
+    description = "Shared PGP Certificate Directory for Java"
+    version = shortVersion
+
+    sourceCompatibility = javaSourceCompatibility
+
+    repositories {
+        mavenCentral()
+    }
+
+    // Reproducible Builds
+    tasks.withType(AbstractArchiveTask) {
+        preserveFileTimestamps = false
+        reproducibleFileOrder = true
+    }
+
+    project.ext {
+        slf4jVersion = '1.7.32'
+        logbackVersion = '1.2.9'
+        junitVersion = '5.8.2'
+        rootConfigDir = new File(rootDir, 'config')
+        gitCommit = getGitCommit()
+        isContinuousIntegrationEnvironment = Boolean.parseBoolean(System.getenv('CI'))
+        isReleaseVersion = !isSnapshot
+        signingRequired = !(isSnapshot || isContinuousIntegrationEnvironment)
+        sonatypeCredentialsAvailable = project.hasProperty('sonatypeUsername') && project.hasProperty('sonatypePassword')
+        sonatypeSnapshotUrl = 'https://oss.sonatype.org/content/repositories/snapshots'
+        sonatypeStagingUrl = 'https://oss.sonatype.org/service/local/staging/deploy/maven2'
+    }
+
+    if (isSnapshot) {
+        version = version + '-SNAPSHOT'
+    }
+    def projectDirFile = new File("$projectDir")
+    if (!project.ext.isSnapshot && !'git describe --exact-match HEAD'.execute(null, projectDirFile).text.trim().equals(ext.shortVersion)) {
+        throw new InvalidUserDataException('Untagged version detected! Please tag every release.')
+    }
+    if (!version.endsWith('-SNAPSHOT') && version != 'git tag --points-at HEAD'.execute(null, projectDirFile).text.trim()) {
+        throw new InvalidUserDataException(
+                'Tag mismatch detected, version is ' + version + ' but should be ' +
+                        'git tag --points-at HEAD'.execute(null, projectDirFile).text.trim())
+    }
+
+    jacoco {
+        toolVersion = "0.8.7"
+    }
+
+    jacocoTestReport {
+        dependsOn test
+        sourceDirectories.setFrom(project.files(sourceSets.main.allSource.srcDirs))
+        classDirectories.setFrom(project.files(sourceSets.main.output))
+        reports {
+            xml.enabled true
+        }
+    }
+
+    test {
+        useJUnitPlatform()
+        testLogging {
+            events "passed", "skipped", "failed"
+            exceptionFormat "full"
+        }
+    }
+}
+
+subprojects {
+    apply plugin: 'maven-publish'
+    apply plugin: 'signing'
+
+    task sourcesJar(type: Jar, dependsOn: classes) {
+        classifier = 'sources'
+        from sourceSets.main.allSource
+    }
+    task javadocJar(type: Jar, dependsOn: javadoc) {
+        classifier = 'javadoc'
+        from javadoc.destinationDir
+    }
+    task testsJar(type: Jar, dependsOn: testClasses) {
+        classifier = 'tests'
+        from sourceSets.test.output
+    }
+
+    publishing {
+        publications {
+            mavenJava(MavenPublication) {
+                from components.java
+                artifact sourcesJar
+                artifact javadocJar
+                artifact testsJar
+                pom {
+                    name = 'Cert-D-Java'
+                    description = 'Shared PGP Certificate Directory for Java'
+                    url = 'https://github.com/pgpainless/cert-d-java'
+                    inceptionYear = '2022'
+
+                    scm {
+                        url = 'https://github.com/pgpainless/cert-d-java'
+                        connection = 'scm:https://github.com/pgpainless/cert-d-java'
+                        developerConnection = 'scm:git://github.com/pgpainless/cert-d-java.git'
+                    }
+
+                    licenses {
+                        license {
+                            name = 'The Apache Software License, Version 2.0'
+                            url = 'http://www.apache.org/licenses/LICENSE-2.0.txt'
+                            distribution = 'repo'
+                        }
+                    }
+
+                    developers {
+                        developer {
+                            id = 'vanitasvitae'
+                            name = 'Paul Schaub'
+                            email = 'vanitasvitae@fsfe.org'
+                        }
+                    }
+                }
+            }
+        }
+        repositories {
+            if (sonatypeCredentialsAvailable) {
+                maven {
+                    url isSnapshot ? sonatypeSnapshotUrl : sonatypeStagingUrl
+                    credentials {
+                        username = sonatypeUsername
+                        password = sonatypePassword
+                    }
+                }
+            }
+        }
+    }
+
+    signing {
+        useGpgCmd()
+        required { signingRequired }
+        sign publishing.publications.mavenJava
+    }
+}
+
+def getGitCommit() {
+    def projectDirFile = new File("$projectDir")
+    def dotGit = new File("$projectDir/.git")
+    if (!dotGit.isDirectory()) return 'non-git build'
+
+    def cmd = 'git describe --always --tags --dirty=+'
+    def proc = cmd.execute(null, projectDirFile)
+    def gitCommit = proc.text.trim()
+    assert !gitCommit.isEmpty()
+
+    def srCmd = 'git symbolic-ref --short HEAD'
+    def srProc = srCmd.execute(null, projectDirFile)
+    srProc.waitForOrKill(10 * 1000)
+    if (srProc.exitValue() == 0) {
+        // Only add the information if the git command was
+        // successful. There may be no symbolic reference for HEAD if
+        // e.g. in detached mode.
+        def symbolicReference = srProc.text.trim()
+        assert !symbolicReference.isEmpty()
+        gitCommit += "-$symbolicReference"
+    }
+
+    gitCommit
+}
+
+apply plugin: "com.github.kt3k.coveralls"
+coveralls {
+	sourceDirs = files(subprojects.sourceSets.main.allSource.srcDirs).files.absolutePath
+}
+
+task jacocoRootReport(type: JacocoReport) {
+    dependsOn = subprojects.jacocoTestReport
+    sourceDirectories.setFrom(files(subprojects.sourceSets.main.allSource.srcDirs))
+    classDirectories.setFrom(files(subprojects.sourceSets.main.output))
+    executionData.setFrom(files(subprojects.jacocoTestReport.executionData))
+    reports {
+        xml.enabled true
+        xml.destination file("${buildDir}/reports/jacoco/test/jacocoTestReport.xml")
+    }
+    // We could remove the following setOnlyIf line, but then
+    // jacocoRootReport would silently be SKIPPED if something with
+    // the projectsWithUnitTests is wrong (e.g. a project is missing
+    // in there).
+    setOnlyIf { true }
+}
+
+task javadocAll(type: Javadoc) {
+    def currentJavaVersion = JavaVersion.current()
+    if (currentJavaVersion.compareTo(JavaVersion.VERSION_1_9) >= 0) {
+        options.addStringOption("-release", "8");
+    }
+    source subprojects.collect {project ->
+        project.sourceSets.main.allJava }
+    destinationDir = new File(buildDir, 'javadoc')
+    // Might need a classpath
+    classpath = files(subprojects.collect {project ->
+        project.sourceSets.main.compileClasspath})
+    options.linkSource = true
+    options.use = true
+    options.links = [
+            "https://docs.oracle.com/javase/${sourceCompatibility.getMajorVersion()}/docs/api/",
+    ] as String[]
+}

pgpainless-cert-d-cli/README.md

@@ -0,0 +1,10 @@
+<!--
+SPDX-FileCopyrightText: 2022 Paul Schaub <info@pgpainless.org>
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Command Line Interface for pgpainless-cert-d
+
+This module utilizes [picocli](https://picocli.info) to provide a CLI application for use with the
+[Shared PGP Certificate Directory](https://sequoia-pgp.gitlab.io/pgp-cert-d/).

pgpainless-cert-d-cli/build.gradle

@@ -0,0 +1,51 @@
+// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+plugins {
+    id 'application'
+}
+
+group 'org.pgpainless'
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
+    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
+
+    // Logging
+    testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
+
+    implementation project(":pgpainless-cert-d")
+    implementation project(":pgp-cert-d-java-jdbc-sqlite-lookup")
+
+    // picocli for cli
+    implementation "info.picocli:picocli:4.6.2"
+}
+
+test {
+    useJUnitPlatform()
+}
+
+mainClassName = 'pgp.cert_d.cli.PGPCertDCli'
+
+jar {
+    dependsOn(":pgpainless-cert-d:assemble", ":pgp-certificate-store:assemble", ":pgp-cert-d-java:assemble", ":pgpainless-core:assemble")
+    manifest {
+        attributes 'Main-Class': "$mainClassName"
+    }
+
+    duplicatesStrategy(DuplicatesStrategy.EXCLUDE)
+
+    from {
+        configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) }
+    } {
+        exclude "META-INF/*.SF"
+        exclude "META-INF/*.DSA"
+        exclude "META-INF/*.RSA"
+    }
+}
+

pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/PGPCertDCli.java

@@ -0,0 +1,73 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package pgp.cert_d.cli;
+
+import org.pgpainless.certificate_store.CertificateReader;
+import org.pgpainless.certificate_store.SharedPGPCertificateDirectoryAdapter;
+import pgp.cert_d.BaseDirectoryProvider;
+import pgp.cert_d.SharedPGPCertificateDirectoryImpl;
+import pgp.cert_d.cli.commands.Get;
+import pgp.cert_d.cli.commands.Import;
+import pgp.cert_d.cli.commands.MultiImport;
+import pgp.cert_d.jdbc.sqlite.DatabaseSubkeyLookup;
+import pgp.cert_d.jdbc.sqlite.SqliteSubkeyLookupDaoImpl;
+import pgp.certificate_store.SubkeyLookup;
+import pgp.certificate_store.exception.NotAStoreException;
+import pgp.certificate_store.CertificateDirectory;
+import picocli.CommandLine;
+
+import java.io.File;
+import java.sql.SQLException;
+
+@CommandLine.Command(
+        subcommands = {
+                Import.class,
+                MultiImport.class,
+                Get.class,
+        }
+)
+public class PGPCertDCli {
+
+    @CommandLine.Option(names = "--base-directory", paramLabel = "DIRECTORY", description = "Overwrite the default certificate directory")
+    File baseDirectory;
+
+    private static CertificateDirectory certificateDirectory;
+
+    private int executionStrategy(CommandLine.ParseResult parseResult) {
+        try {
+            initStore();
+        } catch (NotAStoreException | SQLException e) {
+            return -1;
+        }
+        return new CommandLine.RunLast().execute(parseResult);
+    }
+
+    private void initStore() throws NotAStoreException, SQLException {
+        SharedPGPCertificateDirectoryImpl certificateDirectory;
+        SubkeyLookup subkeyLookup;
+        if (baseDirectory == null) {
+            baseDirectory = BaseDirectoryProvider.getDefaultBaseDir();
+        }
+
+        certificateDirectory = new SharedPGPCertificateDirectoryImpl(
+                baseDirectory,
+                new CertificateReader());
+        subkeyLookup = new DatabaseSubkeyLookup(
+                SqliteSubkeyLookupDaoImpl.forDatabaseFile(new File(baseDirectory, "_pgpainless_subkey_map.db")));
+
+        PGPCertDCli.certificateDirectory = new SharedPGPCertificateDirectoryAdapter(certificateDirectory, subkeyLookup);
+    }
+
+    public static void main(String[] args) {
+        PGPCertDCli cli = new PGPCertDCli();
+        new CommandLine(cli)
+                .setExecutionStrategy(parserResult -> cli.executionStrategy(parserResult))
+                .execute(args);
+    }
+
+    public static CertificateDirectory getCertificateDirectory() {
+        return certificateDirectory;
+    }
+}

pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/commands/Get.java

@@ -0,0 +1,51 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package pgp.cert_d.cli.commands;
+
+import java.io.IOException;
+
+import org.bouncycastle.util.io.Streams;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import pgp.cert_d.cli.PGPCertDCli;
+import pgp.certificate_store.Certificate;
+import pgp.certificate_store.exception.BadDataException;
+import pgp.certificate_store.exception.BadNameException;
+import picocli.CommandLine;
+
+@CommandLine.Command(name = "get",
+        description = "Retrieve certificates from the store")
+public class Get implements Runnable {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(Get.class);
+
+    @CommandLine.Parameters(
+            paramLabel = "IDENTIFIER",
+            arity = "1",
+            description = "Certificate identifier (fingerprint or special name)"
+    )
+    String identifer;
+
+    @Override
+    public void run() {
+        try {
+            Certificate certificate = PGPCertDCli.getCertificateDirectory()
+                    .getCertificate(identifer);
+            if (certificate == null) {
+                return;
+            }
+            Streams.pipeAll(certificate.getInputStream(), System.out);
+        } catch (IOException e) {
+            LOGGER.error("IO Error", e);
+            System.exit(-1);
+        } catch (BadDataException e) {
+            LOGGER.error("Certificate file contains bad data.", e);
+            System.exit(-1);
+        } catch (BadNameException e) {
+            LOGGER.error("Certificate fingerprint mismatch.", e);
+            System.exit(-1);
+        }
+    }
+}

pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/commands/Import.java

@@ -0,0 +1,49 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package pgp.cert_d.cli.commands;
+
+import java.io.IOException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import pgp.cert_d.cli.PGPCertDCli;
+import pgp.certificate_store.Certificate;
+import pgp.certificate_store.MergeCallback;
+import pgp.certificate_store.exception.BadDataException;
+import picocli.CommandLine;
+
+@CommandLine.Command(name = "import",
+        description = "Import or update a certificate")
+public class Import implements Runnable {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(Import.class);
+
+    // TODO: Replace with proper merge callback
+    private final MergeCallback dummyMerge = new MergeCallback() {
+        @Override
+        public Certificate merge(Certificate data, Certificate existing) throws IOException {
+            return data;
+        }
+    };
+
+    @Override
+    public void run() {
+        try {
+            Certificate certificate = PGPCertDCli.getCertificateDirectory().insertCertificate(System.in, dummyMerge);
+            // CHECKSTYLE:OFF
+            System.out.println(certificate.getFingerprint());
+            // CHECKSTYLE:ON
+        } catch (IOException e) {
+            LOGGER.error("IO-Error.", e);
+            System.exit(-1);
+        } catch (InterruptedException e) {
+            LOGGER.error("Thread interrupted.", e);
+            System.exit(-1);
+        } catch (BadDataException e) {
+            LOGGER.error("Certificate contains bad data.", e);
+            System.exit(-1);
+        }
+    }
+}

pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/commands/MultiImport.java

@@ -0,0 +1,62 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package pgp.cert_d.cli.commands;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.pgpainless.PGPainless;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import pgp.cert_d.cli.PGPCertDCli;
+import pgp.certificate_store.Certificate;
+import pgp.certificate_store.MergeCallback;
+import pgp.certificate_store.exception.BadDataException;
+import picocli.CommandLine;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+@CommandLine.Command(name = "multi-import",
+        description = "Import or update multiple certificates")
+public class MultiImport implements Runnable {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(MultiImport.class);
+
+    // TODO: Replace with proper merge callback
+    private final MergeCallback dummyMerge = new MergeCallback() {
+        @Override
+        public Certificate merge(Certificate data, Certificate existing) throws IOException {
+            return data;
+        }
+    };
+
+    @Override
+    public void run() {
+        try {
+            PGPPublicKeyRingCollection certificates = PGPainless.readKeyRing().publicKeyRingCollection(System.in);
+            for (PGPPublicKeyRing cert : certificates) {
+                ByteArrayInputStream certIn = new ByteArrayInputStream(cert.getEncoded());
+                Certificate certificate = PGPCertDCli.getCertificateDirectory()
+                        .insertCertificate(certIn, dummyMerge);
+                // CHECKSTYLE:OFF
+                System.out.println(certificate.getFingerprint());
+                // CHECKSTYLE:ON
+            }
+        } catch (IOException e) {
+            LOGGER.error("IO-Error.", e);
+            System.exit(-1);
+        } catch (InterruptedException e) {
+            LOGGER.error("Thread interrupted.", e);
+            System.exit(-1);
+        } catch (BadDataException e) {
+            LOGGER.error("Certificate contains bad data.", e);
+            System.exit(-1);
+        } catch (PGPException e) {
+            LOGGER.error("PGP Exception.", e);
+            System.exit(-1);
+        }
+    }
+}

pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/commands/package-info.java

@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2018 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * Subcommands.
+ */
+package pgp.cert_d.cli.commands;

pgpainless-cert-d-cli/src/main/java/pgp/cert_d/cli/package-info.java

@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2018 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * Command Line Interface for the Shared PGP Certificate Directory.
+ */
+package pgp.cert_d.cli;

pgpainless-cert-d-cli/src/test/java/pgp/cert_d/cli/DummyTest.java

@@ -0,0 +1,17 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package pgp.cert_d.cli;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class DummyTest {
+
+    @Test
+    public void test() {
+        assertTrue(true);
+    }
+}

pgpainless-cert-d/README.md

@@ -0,0 +1,9 @@
+<!--
+SPDX-FileCopyrightText: 2022 Paul Schaub <info@pgpainless.org>
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Shared PGP Certificate Directory + PGPainless
+
+This module makes use of `pgpainless-core` to provide backend implementations of classes required by `pgp-cert-d-java`.

pgpainless-cert-d/build.gradle

@@ -0,0 +1,31 @@
+// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+plugins {
+    id 'java-library'
+}
+
+group 'org.pgpainless'
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
+    testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
+    testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
+
+    testImplementation "org.mockito:mockito-core:$mockitoVersion"
+
+    // Logging
+    testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
+
+    api project(":pgpainless-core")
+    api project(":pgp-cert-d-java")
+}
+
+test {
+    useJUnitPlatform()
+}

pgpainless-cert-d/src/main/java/org/pgpainless/certificate_store/CertificateFactory.java

@@ -0,0 +1,59 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.certificate_store;
+
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.util.encoders.Base64;
+import org.pgpainless.key.OpenPgpFingerprint;
+import pgp.certificate_store.Certificate;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+public class CertificateFactory {
+
+    public static Certificate certificateFromPublicKeyRing(PGPPublicKeyRing publicKeyRing) {
+        return new Certificate() {
+            @Override
+            public String getFingerprint() {
+                return OpenPgpFingerprint.of(publicKeyRing).toString().toLowerCase();
+            }
+
+            @Override
+            public InputStream getInputStream() throws IOException {
+                return new ByteArrayInputStream(publicKeyRing.getEncoded());
+            }
+
+            @Override
+            public String getTag() throws IOException {
+                MessageDigest digest;
+                try {
+                    digest = MessageDigest.getInstance("SHA-256");
+                } catch (NoSuchAlgorithmException e) {
+                    throw new AssertionError("No MessageDigest for SHA-256 instantiated, although BC is on the classpath: " + e.getMessage());
+                }
+                digest.update(publicKeyRing.getEncoded());
+                return Base64.toBase64String(digest.digest());
+            }
+
+            @Override
+            public Set<Long> getSubkeyIds() throws IOException {
+                Set<Long> keyIds = new HashSet<>();
+                Iterator<PGPPublicKey> keys = publicKeyRing.getPublicKeys();
+                while (keys.hasNext()) {
+                    keyIds.add(keys.next().getKeyID());
+                }
+                return keyIds;
+            }
+        };
+    }
+}

pgpainless-cert-d/src/main/java/org/pgpainless/certificate_store/CertificateReader.java

@@ -0,0 +1,22 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.certificate_store;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.pgpainless.PGPainless;
+import pgp.certificate_store.Certificate;
+import pgp.certificate_store.CertificateReaderBackend;
+
+public class CertificateReader implements CertificateReaderBackend {
+
+    @Override
+    public Certificate readCertificate(InputStream inputStream) throws IOException {
+        final PGPPublicKeyRing certificate = PGPainless.readKeyRing().publicKeyRing(inputStream);
+        return CertificateFactory.certificateFromPublicKeyRing(certificate);
+    }
+}

pgpainless-cert-d/src/main/java/org/pgpainless/certificate_store/SharedPGPCertificateDirectoryAdapter.java

@@ -0,0 +1,123 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.certificate_store;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import pgp.cert_d.SharedPGPCertificateDirectory;
+import pgp.cert_d.SpecialNames;
+import pgp.certificate_store.Certificate;
+import pgp.certificate_store.CertificateDirectory;
+import pgp.certificate_store.CertificateStore;
+import pgp.certificate_store.MergeCallback;
+import pgp.certificate_store.SubkeyLookup;
+import pgp.certificate_store.exception.BadDataException;
+import pgp.certificate_store.exception.BadNameException;
+
+/**
+ * Adapter class used to adapt the {@link SharedPGPCertificateDirectory} for use with
+ * {@link CertificateDirectory}.
+ */
+public class SharedPGPCertificateDirectoryAdapter
+        implements CertificateStore {
+
+    private final SharedPGPCertificateDirectory directory;
+    private final SubkeyLookup subkeyLookup;
+
+    /**
+     * Create an adapter to use {@link SharedPGPCertificateDirectory} objects as {@link CertificateDirectory CertificateStores}.
+     *
+     * @param directory directory instance
+     */
+    public SharedPGPCertificateDirectoryAdapter(SharedPGPCertificateDirectory directory, SubkeyLookup subkeyLookup) {
+        this.directory = directory;
+        this.subkeyLookup = subkeyLookup;
+    }
+
+    @Override
+    public Certificate getCertificate(String identifier)
+            throws IOException, BadDataException, BadNameException {
+        String specialName = SpecialNames.lookupSpecialName(identifier);
+        if (specialName != null) {
+            return directory.getBySpecialName(specialName);
+        }
+
+        return directory.getByFingerprint(identifier);
+
+    }
+
+    @Override
+    public Certificate getCertificateIfChanged(String identifier, String tag)
+            throws IOException, BadDataException, BadNameException {
+        String specialName = SpecialNames.lookupSpecialName(identifier);
+        if (specialName != null) {
+            return directory.getBySpecialNameIfChanged(specialName, tag);
+        }
+
+        return directory.getByFingerprintIfChanged(identifier, tag);
+
+    }
+
+    @Override
+    public Certificate insertCertificate(InputStream data, MergeCallback merge)
+            throws IOException, InterruptedException, BadDataException {
+        Certificate certificate = directory.insert(data, merge);
+        storeIdentifierForSubkeys(certificate);
+        return certificate;
+    }
+
+    @Override
+    public Certificate tryInsertCertificate(InputStream data, MergeCallback merge)
+            throws IOException, BadDataException {
+        Certificate certificate = directory.tryInsert(data, merge);
+        storeIdentifierForSubkeys(certificate);
+        return certificate;
+    }
+
+    @Override
+    public Certificate insertCertificateBySpecialName(String specialName, InputStream data, MergeCallback merge)
+            throws IOException, InterruptedException, BadDataException, BadNameException {
+        return directory.insertWithSpecialName(specialName, data, merge);
+    }
+
+    @Override
+    public Certificate tryInsertCertificateBySpecialName(String specialName, InputStream data, MergeCallback merge)
+            throws IOException, BadDataException, BadNameException {
+        return directory.tryInsertWithSpecialName(specialName, data, merge);
+    }
+
+    @Override
+    public Iterator<Certificate> getCertificates() {
+        return directory.items();
+    }
+
+    @Override
+    public Iterator<String> getFingerprints() {
+        return directory.fingerprints();
+    }
+
+    private void storeIdentifierForSubkeys(Certificate certificate) throws IOException {
+        if (certificate == null) {
+            return;
+        }
+        String fingerprint = certificate.getFingerprint();
+        storeCertificateSubkeyIds(fingerprint, new ArrayList<>(certificate.getSubkeyIds()));
+    }
+
+    @Override
+    public Set<String> getCertificateFingerprintsForSubkeyId(long subkeyId) throws IOException {
+        return subkeyLookup.getCertificateFingerprintsForSubkeyId(subkeyId);
+    }
+
+    @Override
+    public void storeCertificateSubkeyIds(String certificate, List<Long> subkeyIds) throws IOException {
+        subkeyLookup.storeCertificateSubkeyIds(certificate, subkeyIds);
+    }
+}

pgpainless-cert-d/src/main/java/org/pgpainless/certificate_store/package-info.java

@@ -0,0 +1,8 @@
+// SPDX-FileCopyrightText: 2018 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+/**
+ * PGPainless + Certificate Store.
+ */
+package org.pgpainless.certificate_store;

pgpainless-cert-d/src/test/java/org/pgpainless/cert_d/SharedPGPCertificateDirectoryAdapterTest.java

@@ -0,0 +1,230 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.cert_d;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import org.bouncycastle.util.encoders.Hex;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.pgpainless.certificate_store.CertificateReader;
+import org.pgpainless.certificate_store.SharedPGPCertificateDirectoryAdapter;
+import pgp.cert_d.InMemorySubkeyLookup;
+import pgp.cert_d.SharedPGPCertificateDirectoryImpl;
+import pgp.certificate_store.CertificateStore;
+import pgp.certificate_store.exception.BadDataException;
+import pgp.certificate_store.exception.BadNameException;
+import pgp.certificate_store.exception.NotAStoreException;
+import pgp.certificate_store.Certificate;
+
+public class SharedPGPCertificateDirectoryAdapterTest {
+
+    private static final String testCertificate = "98330462069cc616092b06010401da470f010107400db5906b09f701ab1f7f96087eedab6ba44c02fcbd2470137cfeacac5a2d032db405416c696365888f0413160a0041050262069cc609906f054e826378552516a104505b134a7e62f0f154ec3d036f054e8263785525029e01029b01059602030100048b09080705950a09080b0299010000a12600fd117925c0f2192ef5b2a44e3d3038e2a7ce5ba0343fc2dfb661a3a46d1276fb380100bf2872e7e36b63f61ae3556464c4a04344e7d36e0d7313e623effb0290ce0b0fb8380462069cc6120a2b06010401975501050101074034ffd523242385fe92034a5e326a82f4edff614516cc1028ca91fb653557f25b0301080788750418160a001d050262069cc6029e01029b0c059602030100048b09080705950a09080b000a09106f054e8263785525391400ff4eb85df8ddfc15e94c9cf28bc0aa9d0426b571ca64c5421be5889d5410d8632f00fd1ac5e9aed683e711282489d8980222d2ceff15c5ce0499fcb36716d850749406b8330462069cc616092b06010401da470f0101074058f296fb7ce456039856144db677f14018963a8bfd281c84aaeebe7e14df8f1c88d50418160a007d050262069cc6029e01029b02059602030100048b09080705950a09080b5f200419160a0006050262069cc6000a09108119c86e0a4c6dc73a7600ff5e25427da84d824cc3f8890bc6bd037f423f610006e1249b1aad3d7f70ac47a100fc08e67a6a945c1feec301df9dc27e7ea4e61d107d0720e814eea1dc4f1da20a08000a09106f054e8263785525359700ff4ce78cf267c261468322de906118d4f003ceefa72fa3b86119e26f99be3727fc00fe3895207c4aac814549f0189d2f494f5b1fcee7f6da344e63a0c32743b216b406";
+    private static final String testCertFingerprint = "505b134a7e62f0f154ec3d036f054e8263785525";
+    private static final long testCertificateSubkey1 = 7999886635015099685L;
+    private static final long testCertificateSubkey2 = -5375724347241457298L;
+    private static final long testCertificateSubkey3 = -9144057193454342713L;
+
+    private SharedPGPCertificateDirectoryAdapter adapter;
+    private CertificateStore store;
+
+    @BeforeEach
+    public void setupInstance() throws IOException, NotAStoreException {
+        adapter = new SharedPGPCertificateDirectoryAdapter(
+                new SharedPGPCertificateDirectoryImpl(tempDir(), new CertificateReader()),
+                new InMemorySubkeyLookup());
+        store = adapter;
+    }
+
+    private static File tempDir() throws IOException {
+        File tempDir = Files.createTempDirectory("pgp.cert.d-").toFile();
+        tempDir.deleteOnExit();
+        return tempDir;
+    }
+
+    @Test
+    public void getNonExistentCertIsNull() throws IOException, BadDataException, BadNameException {
+        assertNull(store.getCertificate("eb85bb5fa33a75e15e944e63f231550c4f47e38e"));
+    }
+
+    @Test
+    public void getInvalidIdentifierThrows() {
+        assertThrows(BadNameException.class, () -> store.getCertificate("invalid"));
+    }
+
+    @Test
+    public void insertAndGet() throws IOException, InterruptedException, BadDataException, BadNameException {
+        byte[] bytes = Hex.decode(testCertificate);
+        ByteArrayInputStream byteIn = new ByteArrayInputStream(bytes);
+        String fingerprint = testCertFingerprint;
+
+        Certificate certificate = store.insertCertificate(byteIn, (data, existing) -> data);
+
+        assertEquals(fingerprint, certificate.getFingerprint());
+        Set<Long> expectedSubkeys = new HashSet<>(Arrays.asList(testCertificateSubkey1, testCertificateSubkey2, testCertificateSubkey3));
+        Set<Long> subkeys = certificate.getSubkeyIds();
+        assertEquals(expectedSubkeys, subkeys);
+        for (long subkey : subkeys) {
+            assertEquals(Collections.singleton(fingerprint), store.getCertificateFingerprintsForSubkeyId(subkey));
+        }
+
+        Certificate retrieved = store.getCertificate(fingerprint);
+        assertNotNull(retrieved);
+        ByteArrayOutputStream retrievedOut = new ByteArrayOutputStream();
+        Streams.pipeAll(retrieved.getInputStream(), retrievedOut);
+
+        assertArrayEquals(bytes, retrievedOut.toByteArray());
+    }
+
+
+    @Test
+    public void tryInsertAndGet() throws IOException, BadDataException, BadNameException {
+        byte[] bytes = Hex.decode(testCertificate);
+        ByteArrayInputStream byteIn = new ByteArrayInputStream(bytes);
+        String fingerprint = testCertFingerprint;
+
+        Certificate certificate = store.tryInsertCertificate(byteIn, (data, existing) -> data);
+
+        assertEquals(fingerprint, certificate.getFingerprint());
+        Set<Long> subkeys = certificate.getSubkeyIds();
+        assertEquals(3, subkeys.size());
+        for (long subkey : subkeys) {
+            assertEquals(Collections.singleton(fingerprint), store.getCertificateFingerprintsForSubkeyId(subkey));
+        }
+
+        Certificate retrieved = store.getCertificate(fingerprint);
+        assertNotNull(retrieved);
+        ByteArrayOutputStream retrievedOut = new ByteArrayOutputStream();
+        Streams.pipeAll(retrieved.getInputStream(), retrievedOut);
+
+        assertArrayEquals(bytes, retrievedOut.toByteArray());
+    }
+
+
+    @Test
+    public void insertAndGetIfChanged() throws IOException, InterruptedException, BadDataException, BadNameException {
+        byte[] bytes = Hex.decode(testCertificate);
+        ByteArrayInputStream byteIn = new ByteArrayInputStream(bytes);
+        String fingerprint = testCertFingerprint;
+
+        Certificate certificate = store.insertCertificate(byteIn, (data, existing) -> data);
+        String tag = certificate.getTag();
+
+        assertNull(store.getCertificateIfChanged(fingerprint, tag));
+        assertNotNull(store.getCertificateIfChanged(fingerprint, "invalid"));
+    }
+
+    @Test
+    public void insertBySpecialNameAndGet() throws IOException, InterruptedException, BadDataException, BadNameException {
+        byte[] bytes = Hex.decode(testCertificate);
+        ByteArrayInputStream byteIn = new ByteArrayInputStream(bytes);
+        String fingerprint = testCertFingerprint;
+        String identifier = "trust-root";
+
+        Certificate certificate = store.insertCertificateBySpecialName(identifier, byteIn, (data, existing) -> data);
+
+        assertEquals(fingerprint, certificate.getFingerprint());
+
+        Certificate retrieved = store.getCertificate(identifier);
+        assertNotNull(retrieved);
+        ByteArrayOutputStream retrievedOut = new ByteArrayOutputStream();
+        Streams.pipeAll(retrieved.getInputStream(), retrievedOut);
+
+        assertArrayEquals(bytes, retrievedOut.toByteArray());
+    }
+
+    @Test
+    public void tryInsertBySpecialNameAndGet() throws IOException, BadDataException, BadNameException {
+        byte[] bytes = Hex.decode(testCertificate);
+        ByteArrayInputStream byteIn = new ByteArrayInputStream(bytes);
+        String fingerprint = testCertFingerprint;
+        String identifier = "trust-root";
+
+        Certificate certificate = store.tryInsertCertificateBySpecialName(identifier, byteIn, (data, existing) -> data);
+
+        assertEquals(fingerprint, certificate.getFingerprint());
+
+        Certificate retrieved = store.getCertificate(identifier);
+        assertNotNull(retrieved);
+        ByteArrayOutputStream retrievedOut = new ByteArrayOutputStream();
+        Streams.pipeAll(retrieved.getInputStream(), retrievedOut);
+
+        assertArrayEquals(bytes, retrievedOut.toByteArray());
+    }
+
+    @Test
+    public void insertBySpecialNameAndGetIfChanged() throws IOException, InterruptedException, BadDataException, BadNameException {
+        byte[] bytes = Hex.decode(testCertificate);
+        ByteArrayInputStream byteIn = new ByteArrayInputStream(bytes);
+        String fingerprint = testCertFingerprint;
+        String identifier = "trust-root";
+
+        Certificate certificate = store.insertCertificateBySpecialName(identifier, byteIn, (data, existing) -> data);
+        String tag = certificate.getTag();
+
+        certificate = store.getCertificateIfChanged(identifier, tag);
+        assertNull(certificate);
+        certificate = store.getCertificateIfChanged(identifier, "invalid");
+        assertNotNull(certificate);
+        assertEquals(fingerprint, certificate.getFingerprint());
+    }
+
+    @Test
+    public void getItemsAndFingerprints() throws IOException, InterruptedException, BadDataException, BadNameException {
+        byte[] bytes1 = Hex.decode(testCertificate);
+        ByteArrayInputStream byteIn1 = new ByteArrayInputStream(bytes1);
+        Certificate firstCert = store.insertCertificate(byteIn1, (data, existing) -> data);
+
+        byte[] bytes2 = Hex.decode("9833046206a37516092b06010401da470f010107409f55baab1599044096ba901d69854cf5307b84b0542871b15db3dd4c62664f37b403426f62888f0413160a004105026206a3750990ba01b5a9eea7e76716a104f1d47fb85ad74549a37974f3ba01b5a9eea7e767029e01029b01059602030100048b09080705950a09080b0299010000e6170100e08374a6fd32d0b4be2d3f7c75d3f6c13cb47b1b73589aa452a1b2a16b888b5000fe274e6565ab9faa34338cf4d805663f8775fdee4ec6a0fdf1ec2cf84b72907f05b838046206a375120a2b0601040197550105010107405641e74d2dda92003ce200422c3ab6f3562fc49a8ecc67ea02593988442b23780301080788750418160a001d05026206a375029e01029b0c059602030100048b09080705950a09080b000a0910ba01b5a9eea7e76732850100910a6049779773f455226cd91645884842b91017796287a634104ab5364a0c0d00fe20b5febb17de271394f31128f709c307c0bbca4f9502570744bd54e6dc9c2209b833046206a37516092b06010401da470f0101074059f008928cb69b48bed07a639f03f43a48808aade67109cd658f54bddefa5ec288d50418160a007d05026206a375029e01029b02059602030100048b09080705950a09080b5f200419160a000605026206a375000a0910dcdb34f4068368c0dffb010095fb1f6daac239bf3221d9d2ecc81b6cb258c2b058a300a7e103f7f36a58bf1900fe273a9eaaa03b613236df22bebcbbd69d7c02caf1b7af4fa29320c8d96d32310f000a0910ba01b5a9eea7e7671de20100a5044d24a9d860f9af7e8b9a095d4eac8820fad8b045e70be1ae5607fa4d6b4f010097b53d1527f3b3e3d3b78367c8269c999ee37575a51ffc582f73d2cba4df080f");
+        ByteArrayInputStream byteIn2 = new ByteArrayInputStream(bytes2);
+        Certificate secondCert = store.insertCertificate(byteIn2, ((data, existing) -> data));
+
+        String trustRootHex = "9833046206a57e16092b06010401da470f010107401ad7351d9766843bf11a8414f68790df0649fad8b01c244323f47e4ebc87fc35b40a74727573742d726f6f74888f0413160a004105026206a57f09907c619691ddee5fc216a10489e1e05cb458758d0729eb0c7c619691ddee5fc2029e01029b01059602030100048b09080705950a09080b029901000080c100ff45d97dda133895e337416266f1ff2c38ff3947ecfbfe21328d51bc877ccba367010096698a5fbac9444b7b28b96389c66ca405821f04871f1bbbf5b5bf8b800f9104b838046206a57f120a2b06010401975501050101074074ff41705c50e8f27b18df40a53aded6cacd2ce4f88b471c7130036010ca60240301080788750418160a001d05026206a57f029e01029b0c059602030100048b09080705950a09080b000a09107c619691ddee5fc27b3c0100fba12230adf80a6a7a376b9568481ab4ae86628274db67412074cb4a846011a200ff437e4047bbafec42b41594b296f8be93fc03482b2d35ac92e87ce632b86bc900b833046206a57f16092b06010401da470f01010740ce99f97d1f0b5aa2f4e6f2a7a2aa231da8c2a2f489a593b747983a750f3928ae88d50418160a007d05026206a57f029e01029b02059602030100048b09080705950a09080b5f200419160a000605026206a57f000a0910b905cb706dec67e3f6050100a7ae51ea07f3d0d493fd1fdfbcbbe112c19de8dbbd29e03ba5e755345444402300fe2663252eeca21772012c5dc4eb9efa4e01566dffbb44e7d1536181eb3f8b420e000a09107c619691ddee5fc2a4190100fdbedf9defd5d30bad77937a5589441ef336028613a6fcfc4a959bee51de134e00fd128628567b66fa03ef099d6936324f7593e2060608b433828d336dda552e2c04";
+        byte[] trustRootBytes = Hex.decode(trustRootHex);
+        ByteArrayInputStream trustRootIn = new ByteArrayInputStream(trustRootBytes);
+        Certificate trustRoot = store.insertCertificateBySpecialName("trust-root", trustRootIn, (data, existing) -> data);
+
+        Set<String> expectedFingerprints = new HashSet<>();
+        expectedFingerprints.add(firstCert.getFingerprint());
+        expectedFingerprints.add(secondCert.getFingerprint());
+
+        Iterator<Certificate> certificateIterator = store.getCertificates();
+        Set<String> actualFingerprints = new HashSet<>();
+        Certificate c = certificateIterator.next();
+        actualFingerprints.add(c.getFingerprint());
+        c = certificateIterator.next();
+        actualFingerprints.add(c.getFingerprint());
+        assertFalse(certificateIterator.hasNext());
+
+        assertEquals(expectedFingerprints, actualFingerprints);
+        assertFalse(actualFingerprints.contains(trustRoot.getFingerprint()));
+
+        Iterator<String> fingerprintIterator = store.getFingerprints();
+        actualFingerprints = new HashSet<>();
+        actualFingerprints.add(fingerprintIterator.next());
+        actualFingerprints.add(fingerprintIterator.next());
+        assertFalse(fingerprintIterator.hasNext());
+
+        assertEquals(expectedFingerprints, actualFingerprints);
+        assertFalse(actualFingerprints.contains(trustRoot.getFingerprint()));
+    }
+}

pgpainless-cert-d/src/test/java/org/pgpainless/cert_d/SharedPGPCertificateDirectoryTest.java

@@ -0,0 +1,194 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.cert_d;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assumptions.assumeTrue;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Stream;
+
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
+import org.bouncycastle.util.io.Streams;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.pgpainless.PGPainless;
+import org.pgpainless.algorithm.KeyFlag;
+import org.pgpainless.certificate_store.CertificateReader;
+import org.pgpainless.key.OpenPgpFingerprint;
+import org.pgpainless.key.generation.KeySpec;
+import org.pgpainless.key.generation.type.KeyType;
+import org.pgpainless.key.generation.type.eddsa.EdDSACurve;
+import pgp.cert_d.CachingSharedPGPCertificateDirectoryWrapper;
+import pgp.cert_d.FileLockingMechanism;
+import pgp.cert_d.SharedPGPCertificateDirectory;
+import pgp.cert_d.SharedPGPCertificateDirectoryImpl;
+import pgp.certificate_store.exception.BadDataException;
+import pgp.certificate_store.exception.BadNameException;
+import pgp.certificate_store.exception.NotAStoreException;
+import pgp.certificate_store.Certificate;
+import pgp.certificate_store.MergeCallback;
+
+public class SharedPGPCertificateDirectoryTest {
+
+    private static MergeCallback dummyMerge = new MergeCallback() {
+        @Override
+        public Certificate merge(Certificate data, Certificate existing) {
+            return data;
+        }
+    };
+
+    private static Stream<SharedPGPCertificateDirectory> provideTestSubjects() throws IOException, NotAStoreException {
+        return Stream.of(
+                new SharedPGPCertificateDirectoryImpl(tempDir(), new CertificateReader()),
+                new CachingSharedPGPCertificateDirectoryWrapper(
+                        new SharedPGPCertificateDirectoryImpl(tempDir(), new CertificateReader()))
+        );
+    }
+
+    private static File tempDir() throws IOException {
+        File tempDir = Files.createTempDirectory("pgp.cert.d-").toFile();
+        tempDir.deleteOnExit();
+        return tempDir;
+    }
+
+    @ParameterizedTest
+    @MethodSource("provideTestSubjects")
+    public void simpleInsertGet(SharedPGPCertificateDirectory directory)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException,
+            BadDataException, InterruptedException, BadNameException {
+        PGPSecretKeyRing key = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(key);
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(cert);
+        ByteArrayInputStream certIn = new ByteArrayInputStream(cert.getEncoded());
+
+        // standard case: get() is null
+        assertNull(directory.getByFingerprint(fingerprint.toString().toLowerCase()));
+
+        // insert and check returned certs fingerprint
+        Certificate certificate = directory.insert(certIn, dummyMerge);
+        assertEquals(fingerprint.toString().toLowerCase(), certificate.getFingerprint());
+
+        // getIfChanged
+        assertNull(directory.getByFingerprintIfChanged(certificate.getFingerprint(), certificate.getTag()));
+        assertNotNull(directory.getByFingerprintIfChanged(certificate.getFingerprint(), "invalidTag"));
+
+        // tryInsert
+        certIn = new ByteArrayInputStream(cert.getEncoded());
+        assertNotNull(directory.tryInsert(certIn, dummyMerge));
+    }
+
+    @ParameterizedTest
+    @MethodSource("provideTestSubjects")
+    public void simpleInsertGetBySpecialName(SharedPGPCertificateDirectory directory)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException,
+            BadDataException, InterruptedException, BadNameException {
+        PGPSecretKeyRing key = PGPainless.buildKeyRing()
+                .addUserId("trust-root")
+                .setPrimaryKey(KeySpec.getBuilder(KeyType.EDDSA(EdDSACurve._Ed25519), KeyFlag.CERTIFY_OTHER))
+                .build();
+        PGPPublicKeyRing trustRoot = PGPainless.extractCertificate(key);
+        OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(trustRoot);
+        ByteArrayInputStream certIn = new ByteArrayInputStream(trustRoot.getEncoded());
+
+        // standard case: get() is null
+        assertNull(directory.getBySpecialName("trust-root"));
+
+        // insert and check returned certs fingerprint
+        Certificate certificate = directory.insertWithSpecialName("trust-root", certIn, dummyMerge);
+        assertEquals(fingerprint.toString().toLowerCase(), certificate.getFingerprint());
+
+        // getIfChanged
+        assertNull(directory.getBySpecialNameIfChanged("trust-root", certificate.getTag()));
+        assertNotNull(directory.getBySpecialNameIfChanged("trust-root", "invalidTag"));
+
+        // tryInsert
+        certIn = new ByteArrayInputStream(trustRoot.getEncoded());
+        assertNotNull(directory.tryInsertWithSpecialName("trust-root", certIn, dummyMerge));
+    }
+
+    @ParameterizedTest
+    @MethodSource("provideTestSubjects")
+    public void tryInsertFailsWithLockedStore(SharedPGPCertificateDirectory directory)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException,
+            BadDataException, InterruptedException {
+        assumeTrue(directory.getLock() instanceof FileLockingMechanism);
+
+        PGPSecretKeyRing key = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPPublicKeyRing cert = PGPainless.extractCertificate(key);
+        ByteArrayInputStream certIn = new ByteArrayInputStream(cert.getEncoded());
+
+        directory.getLock().lockDirectory();
+        assertNull(directory.tryInsert(certIn, dummyMerge));
+
+        directory.getLock().releaseDirectory();
+        assertNotNull(directory.tryInsert(certIn, dummyMerge));
+    }
+
+    @ParameterizedTest
+    @MethodSource("provideTestSubjects")
+    public void testGetItemsAndFingerprints(SharedPGPCertificateDirectory directory)
+            throws PGPException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IOException,
+            BadDataException, InterruptedException, BadNameException {
+
+        PGPSecretKeyRing trustRootKey = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+        PGPPublicKeyRing trustRootCert = PGPainless.extractCertificate(trustRootKey);
+        OpenPgpFingerprint trustRootFingerprint = OpenPgpFingerprint.of(trustRootCert);
+        ByteArrayInputStream trustRootCertIn = new ByteArrayInputStream(trustRootCert.getEncoded());
+        directory.insertWithSpecialName("trust-root", trustRootCertIn, dummyMerge);
+
+        final int certificateCount = 3;
+        Map<String, PGPPublicKeyRing> certificateMap = new HashMap<>();
+        for (int i = 0; i < certificateCount; i++) {
+            PGPSecretKeyRing key = PGPainless.generateKeyRing().modernKeyRing("Alice", null);
+            PGPPublicKeyRing cert = PGPainless.extractCertificate(key);
+            OpenPgpFingerprint fingerprint = OpenPgpFingerprint.of(cert);
+            certificateMap.put(fingerprint.toString().toLowerCase(), cert);
+
+            ByteArrayInputStream certIn = new ByteArrayInputStream(cert.getEncoded());
+            directory.insert(certIn, dummyMerge);
+        }
+
+        Iterator<Certificate> certificates = directory.items();
+        int count = 0;
+        while (certificates.hasNext()) {
+            count++;
+            Certificate certificate = certificates.next();
+            String fingerprint = certificate.getFingerprint();
+            assertNotNull(certificateMap.get(fingerprint));
+            ByteArrayOutputStream out = new ByteArrayOutputStream();
+            Streams.pipeAll(certificate.getInputStream(), out);
+            assertArrayEquals(certificateMap.get(fingerprint).getEncoded(), out.toByteArray());
+        }
+
+        assertEquals(certificateCount, count);
+
+        Iterator<String> fingerprints = directory.fingerprints();
+        Set<String> fingerprintSet = new HashSet<>();
+        while (fingerprints.hasNext()) {
+            String fingerprint = fingerprints.next();
+            fingerprintSet.add(fingerprint);
+            assertNotNull(certificateMap.get(fingerprint));
+        }
+
+        assertEquals(certificateCount, fingerprintSet.size());
+    }
+}

settings.gradle

@@ -0,0 +1,9 @@
+// SPDX-FileCopyrightText: 2022 Paul Schaub <info@pgpainless.org>
+//
+// SPDX-License-Identifier: CC0-1.0
+
+rootProject.name = 'cert-d-pgpainless'
+
+include 'pgpainless-cert-d',
+        'pgpainless-cert-d-cli'
+

version.gradle

@@ -0,0 +1,12 @@
+// SPDX-FileCopyrightText: 2021 Paul Schaub <info@pgpainless.org>
+//
+// SPDX-License-Identifier: CC0-1.0
+
+allprojects {
+    ext {
+        shortVersion = '0.1.0'
+        isSnapshot = true
+        minAndroidSdk = 10
+        javaSourceCompatibility = 1.8
+    }
+}