Examples with PGPSignature org.bouncycastle.openpgp.PGPSignature used on opensource projects

Example 1 with PGPSignature

use of org.bouncycastle.openpgp.PGPSignature in project gradle by gradle.

the class PgpSignatory method sign.

/**
     * Exhausts {@code toSign}, and writes the signature to {@code signatureDestination}.
     *
     * The caller is responsible for closing the streams, though the output WILL be flushed.
     */
@Override
public void sign(InputStream toSign, OutputStream signatureDestination) {
    PGPSignatureGenerator generator = createSignatureGenerator();
    try {
        feedGeneratorWith(toSign, generator);
        PGPSignature signature = generator.generate();
        writeSignatureTo(signatureDestination, signature);
    } catch (IOException e) {
        throw new UncheckedIOException(e);
    } catch (PGPException e) {
        throw new UncheckedException(e);
    }
}

Example 2 with PGPSignature

use of org.bouncycastle.openpgp.PGPSignature in project gerrit by GerritCodeReview.

the class PublicKeyChecker method checkWebOfTrust.

private CheckResult checkWebOfTrust(PGPPublicKey key, PublicKeyStore store, int depth, Set<Fingerprint> seen) {
    if (trusted == null) {
        // Trust checking not configured, server trusts all OK keys.
        return CheckResult.trusted();
    }
    Fingerprint fp = new Fingerprint(key.getFingerprint());
    if (seen.contains(fp)) {
        return CheckResult.ok("Key is trusted in a cycle");
    }
    seen.add(fp);
    Fingerprint trustedFp = trusted.get(key.getKeyID());
    if (trustedFp != null && trustedFp.equals(fp)) {
        // Directly trusted.
        return CheckResult.trusted();
    } else if (depth >= maxTrustDepth) {
        return CheckResult.ok("No path of depth <= " + maxTrustDepth + " to a trusted key");
    }
    List<CheckResult> signerResults = new ArrayList<>();
    @SuppressWarnings("unchecked") Iterator<String> userIds = key.getUserIDs();
    while (userIds.hasNext()) {
        String userId = userIds.next();
        // Don't check the timestamp of these certifications. This allows admins
        // to correct untrusted keys by signing them with a trusted key, such that
        // older signatures created by those keys retroactively appear valid.
        Iterator<PGPSignature> sigs = key.getSignaturesForID(userId);
        while (sigs.hasNext()) {
            PGPSignature sig = sigs.next();
            // TODO(dborowitz): Handle CERTIFICATION_REVOCATION.
            if (sig.getSignatureType() != PGPSignature.DEFAULT_CERTIFICATION && sig.getSignatureType() != PGPSignature.POSITIVE_CERTIFICATION) {
                // Not a certification.
                continue;
            }
            PGPPublicKey signer = getSigner(store, sig, userId, key, signerResults);
            // TODO(dborowitz): Require self certification.
            if (signer == null || Arrays.equals(signer.getFingerprint(), key.getFingerprint())) {
                continue;
            }
            String subpacketProblem = checkTrustSubpacket(sig, depth);
            if (subpacketProblem == null) {
                CheckResult signerResult = check(signer, depth + 1, false, seen);
                if (signerResult.isTrusted()) {
                    return CheckResult.trusted();
                }
            }
            signerResults.add(CheckResult.ok("Certification by " + keyToString(signer) + " is valid, but key is not trusted"));
        }
    }
    List<String> problems = new ArrayList<>();
    problems.add("No path to a trusted key");
    for (CheckResult signerResult : signerResults) {
        problems.addAll(signerResult.getProblems());
    }
    return CheckResult.create(OK, problems);
}

Example 3 with PGPSignature

use of org.bouncycastle.openpgp.PGPSignature in project gerrit by GerritCodeReview.

the class PublicKeyChecker method checkRevocations.

private void checkRevocations(PGPPublicKey key, List<PGPSignature> revocations, Map<Long, RevocationKey> revokers, List<String> problems) throws PGPException, IOException {
    for (PGPSignature revocation : revocations) {
        RevocationKey revoker = revokers.get(revocation.getKeyID());
        if (revoker == null) {
            // Not a designated revoker.
            continue;
        }
        byte[] rfp = revoker.getFingerprint();
        PGPPublicKeyRing revokerKeyRing = store.get(rfp);
        if (revokerKeyRing == null) {
            // Revoker is authorized and there is a revocation signature by this
            // revoker, but the key is not in the store so we can't verify the
            // signature.
            log.info("Key " + Fingerprint.toString(key.getFingerprint()) + " is revoked by " + Fingerprint.toString(rfp) + ", which is not in the store. Assuming revocation is valid.");
            problems.add(reasonToString(getRevocationReason(revocation)));
            continue;
        }
        PGPPublicKey rk = revokerKeyRing.getPublicKey();
        if (rk.getAlgorithm() != revoker.getAlgorithm()) {
            continue;
        }
        if (!checkBasic(rk, revocation.getCreationTime()).isOk()) {
            // revocation is invalid.
            continue;
        }
        revocation.init(new BcPGPContentVerifierBuilderProvider(), rk);
        if (revocation.verifyCertification(key)) {
            problems.add(reasonToString(getRevocationReason(revocation)));
        }
    }
}

Example 4 with PGPSignature

use of org.bouncycastle.openpgp.PGPSignature in project camel by apache.

the class PGPDataFormatUtil method hasOneOfExpectedKeyFlags.

/**
     * Checks whether one of the signatures of the key has one of the expected
     * key flags
     * 
     * @param key
     * @return {@link Boolean#TRUE} if key has one of the expected flag,
     *         <code>null</code> if the key does not have any key flags,
     *         {@link Boolean#FALSE} if the key has none of the expected flags
     */
private static Boolean hasOneOfExpectedKeyFlags(PGPPublicKey key, int[] expectedKeyFlags) {
    boolean containsKeyFlags = false;
    for (@SuppressWarnings("unchecked") Iterator<PGPSignature> itsig = key.getSignatures(); itsig.hasNext(); ) {
        PGPSignature sig = itsig.next();
        PGPSignatureSubpacketVector subPacks = sig.getHashedSubPackets();
        if (subPacks != null) {
            int keyFlag = subPacks.getKeyFlags();
            if (keyFlag > 0 && !containsKeyFlags) {
                containsKeyFlags = true;
            }
            for (int expectdKeyFlag : expectedKeyFlags) {
                int result = keyFlag & expectdKeyFlag;
                if (result == expectdKeyFlag) {
                    return Boolean.TRUE;
                }
            }
        }
    }
    if (containsKeyFlags) {
        return Boolean.FALSE;
    }
    // no key flag
    return null;
}

Example 5 with PGPSignature

use of org.bouncycastle.openpgp.PGPSignature in project gerrit by GerritCodeReview.

the class PushCertificateChecker method check.

/**
   * Check a push certificate.
   *
   * @return result of the check.
   */
public final Result check(PushCertificate cert) {
    if (checkNonce && cert.getNonceStatus() != NonceStatus.OK) {
        return new Result(null, CheckResult.bad("Invalid nonce"));
    }
    List<CheckResult> results = new ArrayList<>(2);
    Result sigResult = null;
    try {
        PGPSignature sig = readSignature(cert);
        if (sig != null) {
            @SuppressWarnings("resource") Repository repo = getRepository();
            try (PublicKeyStore store = new PublicKeyStore(repo)) {
                sigResult = checkSignature(sig, cert, store);
                results.add(checkCustom(repo));
            } finally {
                if (shouldClose(repo)) {
                    repo.close();
                }
            }
        } else {
            results.add(CheckResult.bad("Invalid signature format"));
        }
    } catch (PGPException | IOException e) {
        String msg = "Internal error checking push certificate";
        log.error(msg, e);
        results.add(CheckResult.bad(msg));
    }
    return combine(sigResult, results);
}