mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-12-23 03:17:58 +01:00
Refactoring
This commit is contained in:
parent
c3dfb254b1
commit
73b7f1b9bb
5 changed files with 164 additions and 122 deletions
|
@ -0,0 +1,66 @@
|
|||
// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package org.pgpainless.encryption_signing;
|
||||
|
||||
import java.security.MessageDigest;
|
||||
import java.util.List;
|
||||
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPPrivateKey;
|
||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||
import org.bouncycastle.openpgp.PGPSecretKey;
|
||||
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||
import org.bouncycastle.openpgp.PGPSignature;
|
||||
import org.bouncycastle.openpgp.PGPSignatureGenerator;
|
||||
import org.pgpainless.PGPainless;
|
||||
import org.pgpainless.algorithm.SignatureType;
|
||||
import org.pgpainless.key.info.KeyRingInfo;
|
||||
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||
import org.pgpainless.key.protection.UnlockSecretKey;
|
||||
|
||||
import javax.annotation.Nonnull;
|
||||
|
||||
public class BcHashContextSigner {
|
||||
|
||||
public static PGPSignature signHashContext(@Nonnull MessageDigest hashContext,
|
||||
@Nonnull SignatureType signatureType,
|
||||
@Nonnull PGPSecretKeyRing secretKeys,
|
||||
@Nonnull SecretKeyRingProtector protector)
|
||||
throws PGPException {
|
||||
KeyRingInfo info = PGPainless.inspectKeyRing(secretKeys);
|
||||
List<PGPPublicKey> signingSubkeyCandidates = info.getSigningSubkeys();
|
||||
PGPSecretKey signingKey = null;
|
||||
for (PGPPublicKey signingKeyCandidate : signingSubkeyCandidates) {
|
||||
signingKey = secretKeys.getSecretKey(signingKeyCandidate.getKeyID());
|
||||
if (signingKey != null) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (signingKey == null) {
|
||||
throw new PGPException("Key does not contain suitable signing subkey.");
|
||||
}
|
||||
|
||||
PGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(signingKey, protector);
|
||||
return signHashContext(hashContext, signatureType, privateKey);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an OpenPGP Signature over the given {@link MessageDigest} hash context.
|
||||
*
|
||||
* @param hashContext hash context
|
||||
* @param privateKey signing-capable key
|
||||
* @return signature
|
||||
* @throws PGPException in case of an OpenPGP error
|
||||
*/
|
||||
static PGPSignature signHashContext(MessageDigest hashContext, SignatureType signatureType, PGPPrivateKey privateKey)
|
||||
throws PGPException {
|
||||
PGPSignatureGenerator sigGen = new PGPSignatureGenerator(
|
||||
new BcPGPHashContextContentSignerBuilder(hashContext)
|
||||
);
|
||||
|
||||
sigGen.init(signatureType.getCode(), privateKey);
|
||||
return sigGen.generate();
|
||||
}
|
||||
}
|
|
@ -2,9 +2,8 @@
|
|||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package org.pgpainless.signature.builder;
|
||||
package org.pgpainless.encryption_signing;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.OutputStream;
|
||||
import java.security.MessageDigest;
|
||||
|
||||
|
@ -37,13 +36,13 @@ import org.pgpainless.algorithm.PublicKeyAlgorithm;
|
|||
* This can come in handy to sign data, which was already processed to calculate the hash context, without the
|
||||
* need to process it again to calculate the OpenPGP signature.
|
||||
*/
|
||||
public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuilder {
|
||||
class BcPGPHashContextContentSignerBuilder extends PGPHashContextContentSignerBuilder {
|
||||
|
||||
private final BcPGPKeyConverter keyConverter = new BcPGPKeyConverter();
|
||||
private final MessageDigest messageDigest;
|
||||
private final HashAlgorithm hashAlgorithm;
|
||||
|
||||
public HashContextPGPContentSignerBuilder(MessageDigest messageDigest) {
|
||||
public BcPGPHashContextContentSignerBuilder(MessageDigest messageDigest) {
|
||||
this.messageDigest = messageDigest;
|
||||
this.hashAlgorithm = HashAlgorithm.fromName(messageDigest.getAlgorithm());
|
||||
if (hashAlgorithm == null) {
|
||||
|
@ -76,7 +75,7 @@ public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuild
|
|||
}
|
||||
|
||||
public OutputStream getOutputStream() {
|
||||
return new SignerOutputStream(signer);
|
||||
return new PGPHashContextContentSignerBuilder.SignerOutputStream(signer);
|
||||
}
|
||||
|
||||
public byte[] getSignature() {
|
||||
|
@ -117,49 +116,6 @@ public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuild
|
|||
}
|
||||
}
|
||||
|
||||
static class ExistingMessageDigest implements Digest {
|
||||
|
||||
private final MessageDigest digest;
|
||||
|
||||
ExistingMessageDigest(MessageDigest messageDigest) {
|
||||
this.digest = messageDigest;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void update(byte in) {
|
||||
digest.update(in);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void update(byte[] in, int inOff, int len) {
|
||||
digest.update(in, inOff, len);
|
||||
}
|
||||
|
||||
@Override
|
||||
public int doFinal(byte[] out, int outOff) {
|
||||
byte[] hash = digest.digest();
|
||||
System.arraycopy(hash, 0, out, outOff, hash.length);
|
||||
return getDigestSize();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void reset() {
|
||||
// Nope!
|
||||
// We cannot reset, since BCs signer classes are resetting in their init() methods, which would also reset
|
||||
// the messageDigest, losing its state. This would shatter our intention.
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getAlgorithmName() {
|
||||
return digest.getAlgorithm();
|
||||
}
|
||||
|
||||
@Override
|
||||
public int getDigestSize() {
|
||||
return digest.getDigestLength();
|
||||
}
|
||||
}
|
||||
|
||||
// Copied from BCs BcImplProvider - required since BCs class is package visible only :/
|
||||
private static class EdDsaSigner
|
||||
implements Signer {
|
||||
|
@ -210,28 +166,4 @@ public class HashContextPGPContentSignerBuilder implements PGPContentSignerBuild
|
|||
}
|
||||
}
|
||||
|
||||
// Copied from BC, required since BCs class is package visible only
|
||||
static class SignerOutputStream
|
||||
extends OutputStream {
|
||||
private Signer sig;
|
||||
|
||||
SignerOutputStream(Signer sig) {
|
||||
this.sig = sig;
|
||||
}
|
||||
|
||||
public void write(byte[] bytes, int off, int len)
|
||||
throws IOException {
|
||||
sig.update(bytes, off, len);
|
||||
}
|
||||
|
||||
public void write(byte[] bytes)
|
||||
throws IOException {
|
||||
sig.update(bytes, 0, bytes.length);
|
||||
}
|
||||
|
||||
public void write(int b)
|
||||
throws IOException {
|
||||
sig.update((byte) b);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,86 @@
|
|||
// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package org.pgpainless.encryption_signing;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.OutputStream;
|
||||
import java.security.MessageDigest;
|
||||
|
||||
import org.bouncycastle.crypto.Digest;
|
||||
import org.bouncycastle.crypto.Signer;
|
||||
import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder;
|
||||
|
||||
abstract class PGPHashContextContentSignerBuilder implements PGPContentSignerBuilder {
|
||||
|
||||
// Copied from BC, required since BCs class is package visible only
|
||||
static class SignerOutputStream
|
||||
extends OutputStream {
|
||||
private Signer sig;
|
||||
|
||||
SignerOutputStream(Signer sig) {
|
||||
this.sig = sig;
|
||||
}
|
||||
|
||||
public void write(byte[] bytes, int off, int len)
|
||||
throws IOException {
|
||||
sig.update(bytes, off, len);
|
||||
}
|
||||
|
||||
public void write(byte[] bytes)
|
||||
throws IOException {
|
||||
sig.update(bytes, 0, bytes.length);
|
||||
}
|
||||
|
||||
public void write(int b)
|
||||
throws IOException {
|
||||
sig.update((byte) b);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static class ExistingMessageDigest implements Digest {
|
||||
|
||||
private final MessageDigest digest;
|
||||
|
||||
ExistingMessageDigest(MessageDigest messageDigest) {
|
||||
this.digest = messageDigest;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void update(byte in) {
|
||||
digest.update(in);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void update(byte[] in, int inOff, int len) {
|
||||
digest.update(in, inOff, len);
|
||||
}
|
||||
|
||||
@Override
|
||||
public int doFinal(byte[] out, int outOff) {
|
||||
byte[] hash = digest.digest();
|
||||
System.arraycopy(hash, 0, out, outOff, hash.length);
|
||||
return getDigestSize();
|
||||
}
|
||||
|
||||
@Override
|
||||
public void reset() {
|
||||
// Nope!
|
||||
// We cannot reset, since BCs signer classes are resetting in their init() methods, which would also reset
|
||||
// the messageDigest, losing its state. This would shatter our intention.
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getAlgorithmName() {
|
||||
return digest.getAlgorithm();
|
||||
}
|
||||
|
||||
@Override
|
||||
public int getDigestSize() {
|
||||
return digest.getDigestLength();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -1,38 +0,0 @@
|
|||
// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package org.pgpainless.signature.builder;
|
||||
|
||||
import java.security.MessageDigest;
|
||||
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPPrivateKey;
|
||||
import org.bouncycastle.openpgp.PGPSignature;
|
||||
import org.bouncycastle.openpgp.PGPSignatureGenerator;
|
||||
import org.pgpainless.algorithm.SignatureType;
|
||||
|
||||
public class HashContextSigner {
|
||||
|
||||
/**
|
||||
* Create an OpenPGP Signature over the given {@link MessageDigest} hash context.
|
||||
*
|
||||
* WARNING: This method does not yet validate the signing key.
|
||||
* TODO: Change API to receive and evaluate PGPSecretKeyRing + SecretKeyRingProtector instead.
|
||||
*
|
||||
* @param hashContext hash context
|
||||
* @param privateKey signing-capable key
|
||||
* @return signature
|
||||
* @throws PGPException in case of an OpenPGP error
|
||||
*/
|
||||
public static PGPSignature signHashContext(MessageDigest hashContext, SignatureType signatureType, PGPPrivateKey privateKey)
|
||||
throws PGPException {
|
||||
// TODO: Validate signing key
|
||||
PGPSignatureGenerator sigGen = new PGPSignatureGenerator(
|
||||
new HashContextPGPContentSignerBuilder(hashContext)
|
||||
);
|
||||
|
||||
sigGen.init(signatureType.getCode(), privateKey);
|
||||
return sigGen.generate();
|
||||
}
|
||||
}
|
|
@ -2,7 +2,7 @@
|
|||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
package org.pgpainless.signature;
|
||||
package org.pgpainless.encryption_signing;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||
|
@ -17,7 +17,6 @@ import java.security.NoSuchAlgorithmException;
|
|||
|
||||
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||
import org.bouncycastle.openpgp.PGPException;
|
||||
import org.bouncycastle.openpgp.PGPPrivateKey;
|
||||
import org.bouncycastle.openpgp.PGPPublicKeyRing;
|
||||
import org.bouncycastle.openpgp.PGPSecretKeyRing;
|
||||
import org.bouncycastle.openpgp.PGPSignature;
|
||||
|
@ -30,11 +29,9 @@ import org.pgpainless.decryption_verification.ConsumerOptions;
|
|||
import org.pgpainless.decryption_verification.DecryptionStream;
|
||||
import org.pgpainless.decryption_verification.OpenPgpMetadata;
|
||||
import org.pgpainless.key.generation.type.rsa.RsaLength;
|
||||
import org.pgpainless.key.protection.UnlockSecretKey;
|
||||
import org.pgpainless.signature.builder.HashContextSigner;
|
||||
import org.pgpainless.util.Passphrase;
|
||||
import org.pgpainless.key.protection.SecretKeyRingProtector;
|
||||
|
||||
public class HashContextSignerTest {
|
||||
public class BcHashContextSignerTest {
|
||||
|
||||
private static final String message = "Hello, World!\n";
|
||||
private static final String KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
|
||||
|
@ -88,15 +85,14 @@ public class HashContextSignerTest {
|
|||
}
|
||||
}
|
||||
|
||||
private void signFromContext(PGPSecretKeyRing secretKeys, HashAlgorithm hashAlgorithm) throws PGPException, NoSuchAlgorithmException, IOException {
|
||||
private void signFromContext(PGPSecretKeyRing secretKeys, HashAlgorithm hashAlgorithm)
|
||||
throws PGPException, NoSuchAlgorithmException, IOException {
|
||||
PGPPublicKeyRing certificate = PGPainless.extractCertificate(secretKeys);
|
||||
long signingKeyId = PGPainless.inspectKeyRing(certificate).getSigningSubkeys().get(0).getKeyID();
|
||||
PGPPrivateKey signingKey = UnlockSecretKey.unlockSecretKey(secretKeys.getSecretKey(signingKeyId), Passphrase.emptyPassphrase());
|
||||
|
||||
byte[] messageBytes = message.getBytes(StandardCharsets.UTF_8);
|
||||
ByteArrayInputStream messageIn = new ByteArrayInputStream(messageBytes);
|
||||
|
||||
PGPSignature signature = signMessage(messageBytes, hashAlgorithm, signingKey);
|
||||
PGPSignature signature = signMessage(messageBytes, hashAlgorithm, secretKeys);
|
||||
assertEquals(hashAlgorithm.getAlgorithmId(), signature.getHashAlgorithm());
|
||||
|
||||
DecryptionStream decryptionStream = PGPainless.decryptAndOrVerify()
|
||||
|
@ -113,13 +109,13 @@ public class HashContextSignerTest {
|
|||
assertTrue(metadata.isVerified());
|
||||
}
|
||||
|
||||
private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, PGPPrivateKey signingKey)
|
||||
private PGPSignature signMessage(byte[] message, HashAlgorithm hashAlgorithm, PGPSecretKeyRing secretKeys)
|
||||
throws NoSuchAlgorithmException, PGPException {
|
||||
// Prepare the hash context
|
||||
// This would be done by the caller application
|
||||
MessageDigest messageDigest = MessageDigest.getInstance(hashAlgorithm.getAlgorithmName(), new BouncyCastleProvider());
|
||||
messageDigest.update(message);
|
||||
|
||||
return HashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, signingKey);
|
||||
return BcHashContextSigner.signHashContext(messageDigest, SignatureType.BINARY_DOCUMENT, secretKeys, SecretKeyRingProtector.unprotectedKeys());
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue