Browse Source

GPG: use key fingerprint suffix to compare id for signing key

Check whether the value of the git config user.signingKey is a suffix
of the full fingerprint of the key. This was already used for finding
keys in secring.gpg, but not in pubring.kbx. This mechanism allows a
user to use any unique suffix to identify keys; to avoid needless
collisions it's recommended to use at least the last 16 characters of
the hex representation of the fingerprint, which is the key id.[1]

[1] https://tools.ietf.org/html/rfc4880#section-12.2

Bug: 545673
Change-Id: If6fb4879502b6ee4b8c26c21b2714aeac4e4670c
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
stable-5.5
Thomas Wolf 6 years ago
parent
commit
6536b5cbca
  1. 11
      org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgKeyLocator.java

11
org.eclipse.jgit/src/org/eclipse/jgit/lib/internal/BouncyCastleGpgKeyLocator.java

@ -181,10 +181,11 @@ class BouncyCastleGpgKeyLocator {
private PGPPublicKey findPublicKeyByKeyId(KeyBlob keyBlob) private PGPPublicKey findPublicKeyByKeyId(KeyBlob keyBlob)
throws IOException { throws IOException {
String keyId = signingKey.toLowerCase(Locale.ROOT);
for (KeyInformation keyInfo : keyBlob.getKeyInformation()) { for (KeyInformation keyInfo : keyBlob.getKeyInformation()) {
if (signingKey.toLowerCase(Locale.ROOT) String fingerprint = Hex.toHexString(keyInfo.getFingerprint())
.equals(Hex.toHexString(keyInfo.getKeyID()) .toLowerCase(Locale.ROOT);
.toLowerCase(Locale.ROOT))) { if (fingerprint.endsWith(keyId)) {
return getFirstPublicKey(keyBlob); return getFirstPublicKey(keyBlob);
} }
} }
@ -334,6 +335,7 @@ class BouncyCastleGpgKeyLocator {
PGPUtil.getDecoderStream(new BufferedInputStream(in)), PGPUtil.getDecoderStream(new BufferedInputStream(in)),
new JcaKeyFingerprintCalculator()); new JcaKeyFingerprintCalculator());
String keyId = signingkey.toLowerCase(Locale.ROOT);
Iterator<PGPSecretKeyRing> keyrings = pgpSec.getKeyRings(); Iterator<PGPSecretKeyRing> keyrings = pgpSec.getKeyRings();
while (keyrings.hasNext()) { while (keyrings.hasNext()) {
PGPSecretKeyRing keyRing = keyrings.next(); PGPSecretKeyRing keyRing = keyrings.next();
@ -344,8 +346,7 @@ class BouncyCastleGpgKeyLocator {
String fingerprint = Hex String fingerprint = Hex
.toHexString(key.getPublicKey().getFingerprint()) .toHexString(key.getPublicKey().getFingerprint())
.toLowerCase(Locale.ROOT); .toLowerCase(Locale.ROOT);
if (fingerprint if (fingerprint.endsWith(keyId)) {
.endsWith(signingkey.toLowerCase(Locale.ROOT))) {
return key; return key;
} }
// try user id // try user id

Loading…
Cancel
Save