From 6536b5cbca8b876e92c5943f25768ba0c450eada Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Tue, 21 May 2019 18:08:48 +0200 Subject: [PATCH] GPG: use key fingerprint suffix to compare id for signing key Check whether the value of the git config user.signingKey is a suffix of the full fingerprint of the key. This was already used for finding keys in secring.gpg, but not in pubring.kbx. This mechanism allows a user to use any unique suffix to identify keys; to avoid needless collisions it's recommended to use at least the last 16 characters of the hex representation of the fingerprint, which is the key id.[1] [1] https://tools.ietf.org/html/rfc4880#section-12.2 Bug: 545673 Change-Id: If6fb4879502b6ee4b8c26c21b2714aeac4e4670c Signed-off-by: Thomas Wolf --- .../jgit/lib/internal/BouncyCastleGpgKeyLocator.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgKeyLocator.java b/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgKeyLocator.java index c942cf403..47f8c85f4 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgKeyLocator.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgKeyLocator.java @@ -181,10 +181,11 @@ class BouncyCastleGpgKeyLocator { private PGPPublicKey findPublicKeyByKeyId(KeyBlob keyBlob) throws IOException { + String keyId = signingKey.toLowerCase(Locale.ROOT); for (KeyInformation keyInfo : keyBlob.getKeyInformation()) { - if (signingKey.toLowerCase(Locale.ROOT) - .equals(Hex.toHexString(keyInfo.getKeyID()) - .toLowerCase(Locale.ROOT))) { + String fingerprint = Hex.toHexString(keyInfo.getFingerprint()) + .toLowerCase(Locale.ROOT); + if (fingerprint.endsWith(keyId)) { return getFirstPublicKey(keyBlob); } } @@ -334,6 +335,7 @@ class BouncyCastleGpgKeyLocator { PGPUtil.getDecoderStream(new BufferedInputStream(in)), new JcaKeyFingerprintCalculator()); + String keyId = signingkey.toLowerCase(Locale.ROOT); Iterator keyrings = pgpSec.getKeyRings(); while (keyrings.hasNext()) { PGPSecretKeyRing keyRing = keyrings.next(); @@ -344,8 +346,7 @@ class BouncyCastleGpgKeyLocator { String fingerprint = Hex .toHexString(key.getPublicKey().getFingerprint()) .toLowerCase(Locale.ROOT); - if (fingerprint - .endsWith(signingkey.toLowerCase(Locale.ROOT))) { + if (fingerprint.endsWith(keyId)) { return key; } // try user id