signatureProcessors = new ArrayList<>();
signatureProcessors.add(SignatureProcessors.size());
signatureProcessors.add(SignatureProcessors.sha256Header());
signatureProcessors.add(SignatureProcessors.sha1Header());
signatureProcessors.add(SignatureProcessors.md5());
signatureProcessors.add(SignatureProcessors.payloadSize());
- signatureProcessors.add(new RsaSignatureProcessor(privateKey, hashAlgorithm));
+ signatureProcessors.add(new PgpSignatureProcessor(secretKeys, protector));
return signatureProcessors;
}
-
- /**
- *
- * Decrypt and retrieve the private key
- *
- *
- * @param privateKeyIn : InputStream containing the encrypted private key
- * @param passphrase : passphrase to decrypt private key
- * @return private key as {@link PGPPrivateKey}
- * @throws PGPException : if the private key cannot be extrated
- * @throws IOException : if error happened with InputStream
- */
- private static PGPPrivateKey getPrivateKey(InputStream privateKeyIn, String passphrase)
- throws PGPException, IOException {
- ArmoredInputStream armor = new ArmoredInputStream(privateKeyIn);
- PGPSecretKeyRing secretKeyRing = new BcPGPSecretKeyRing(armor);
- PGPSecretKey secretKey = secretKeyRing.getSecretKey();
- return secretKey.extractPrivateKey(new BcPBESecretKeyDecryptorBuilder(new BcPGPDigestCalculatorProvider())
- .build(passphrase.toCharArray()));
- }
}
diff --git a/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaHeaderSignatureProcessor.java b/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaHeaderSignatureProcessor.java
index 7bd2b26..c8c104b 100644
--- a/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaHeaderSignatureProcessor.java
+++ b/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaHeaderSignatureProcessor.java
@@ -29,7 +29,10 @@
/**
* An RSA signature processor for the header section only.
+ *
+ * @deprecated use {@link PgpHeaderSignatureProcessor} instead.
*/
+@Deprecated
public class RsaHeaderSignatureProcessor implements SignatureProcessor {
private final static Logger logger = LoggerFactory.getLogger(RsaHeaderSignatureProcessor.class);
@@ -50,7 +53,7 @@ public RsaHeaderSignatureProcessor(final PGPPrivateKey privateKey, final HashAlg
}
public RsaHeaderSignatureProcessor(final PGPPrivateKey privateKey) {
- this(privateKey, HashAlgorithmTags.SHA1);
+ this(privateKey, HashAlgorithmTags.SHA256);
}
@Override
diff --git a/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaSignatureProcessor.java b/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaSignatureProcessor.java
index 91f4335..1ba88b9 100644
--- a/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaSignatureProcessor.java
+++ b/rpm/src/main/java/org/eclipse/packager/rpm/signature/RsaSignatureProcessor.java
@@ -29,7 +29,10 @@
/**
* An RSA signature processor for both header and payload.
+ *
+ * @deprecated use {@link PgpSignatureProcessor} instead.
*/
+@Deprecated
public class RsaSignatureProcessor implements SignatureProcessor {
private final static Logger logger = LoggerFactory.getLogger(RsaSignatureProcessor.class);
@@ -53,7 +56,7 @@ public RsaSignatureProcessor(final PGPPrivateKey privateKey, final HashAlgorithm
}
public RsaSignatureProcessor(final PGPPrivateKey privateKey) {
- this(privateKey, HashAlgorithmTags.SHA1);
+ this(privateKey, HashAlgorithmTags.SHA256);
}
@Override
diff --git a/rpm/src/main/java/org/eclipse/packager/rpm/yum/RepositoryCreator.java b/rpm/src/main/java/org/eclipse/packager/rpm/yum/RepositoryCreator.java
index 6bb9600..50015ae 100644
--- a/rpm/src/main/java/org/eclipse/packager/rpm/yum/RepositoryCreator.java
+++ b/rpm/src/main/java/org/eclipse/packager/rpm/yum/RepositoryCreator.java
@@ -14,6 +14,7 @@
package org.eclipse.packager.rpm.yum;
import java.io.IOException;
+import java.io.InputStream;
import java.io.OutputStream;
import java.time.Instant;
import java.util.Arrays;
@@ -41,6 +42,7 @@
import org.bouncycastle.bcpg.HashAlgorithmTags;
import org.bouncycastle.openpgp.PGPPrivateKey;
+import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.eclipse.packager.io.IOConsumer;
import org.eclipse.packager.io.OutputSpooler;
import org.eclipse.packager.io.SpoolOutTarget;
@@ -50,7 +52,10 @@
import org.eclipse.packager.rpm.info.RpmInformation;
import org.eclipse.packager.rpm.info.RpmInformation.Changelog;
import org.eclipse.packager.rpm.info.RpmInformation.Dependency;
+import org.eclipse.packager.security.pgp.PgpHelper;
import org.eclipse.packager.security.pgp.SigningStream;
+import org.eclipse.packager.security.pgp.SigningStream2;
+import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -434,19 +439,41 @@ public Builder setXmlContext(final XmlContext xmlContext) {
return this;
}
- public Builder setSigning(final Function signingStreamCreator) {
- this.signingStreamCreator = signingStreamCreator;
- return this;
- }
-
+ /**
+ * Enable signing using an (unprotected) PGP private key.
+ *
+ * @param privateKey unlocked PGP private key
+ * @return builder
+ * @deprecated use {@link #setSigning(PGPSecretKeyRing)} instead.
+ */
+ @Deprecated
public Builder setSigning(final PGPPrivateKey privateKey) {
- return setSigning(privateKey, HashAlgorithmTags.SHA1);
+ return setSigning(privateKey, HashAlgorithmTags.SHA256);
}
+ /**
+ * Enable signing using a PGP private key using the given digest algorithm.
+ *
+ * @param privateKey unlocked PGP private key
+ * @param hashAlgorithm digest algorithm to be used in the signature
+ * @return builder
+ * @deprecated use {@link #setSigning(PGPSecretKeyRing)} instead.
+ */
+ @Deprecated
public Builder setSigning(final PGPPrivateKey privateKey, final HashAlgorithm hashAlgorithm) {
return setSigning(privateKey, hashAlgorithm.getValue());
}
+ /**
+ * Enable signing using a PGP private key, using the given digest algorithm.
+ *
+ * @param privateKey unlocked PGP private key
+ * @param digestAlgorithm digest algorithm to be used in the signature
+ * @return builder
+ * @deprecated use {@link #setSigning(PGPSecretKeyRing, SecretKeyRingProtector)}
+ * instead.
+ */
+ @Deprecated
public Builder setSigning(final PGPPrivateKey privateKey, final int digestAlgorithm) {
if (privateKey != null) {
this.signingStreamCreator = output -> new SigningStream(output, privateKey, digestAlgorithm, false);
@@ -456,6 +483,100 @@ public Builder setSigning(final PGPPrivateKey privateKey, final int digestAlgori
return this;
}
+ /**
+ * Enable signing using an (unprotected) PGP secret key.
+ *
+ * @param secretKeys secret key
+ * @return builder
+ */
+ public Builder setSigning(final PGPSecretKeyRing secretKeys) {
+ return setSigning(secretKeys, SecretKeyRingProtector.unprotectedKeys());
+ }
+
+ /**
+ * Enable signing using a PGP secret key.
+ *
+ * @param secretKeys secret key
+ * @param protector protector to unlock the secret key
+ * @return builder
+ */
+ public Builder setSigning(final PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector) {
+ return setSigning(secretKeys, protector, 0);
+ }
+
+ /**
+ * Enable signing using a PGP secret key.
+ *
+ * @param secretKeys secret key
+ * @param protector protector to unlock the secret key
+ * @param keyId ID of the signing subkey, or 0 if the signing subkey is
+ * auto-detected
+ * @return builder
+ */
+ public Builder setSigning(final PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector, long keyId) {
+ if (secretKeys != null) {
+ return setSigning(output -> new SigningStream2(output, secretKeys, protector, keyId, false));
+ } else {
+ this.signingStreamCreator = null;
+ }
+ return this;
+ }
+
+ /**
+ * Enable signing using a PGP secret key.
+ *
+ * @param keyInputStream input stream containing the (unprotected) secret key.
+ * @return builder
+ * @throws IOException if the key cannot be parsed
+ */
+ public Builder setSigning(final InputStream keyInputStream)
+ throws IOException {
+ return setSigning(keyInputStream, SecretKeyRingProtector.unprotectedKeys());
+ }
+
+ /**
+ * Enable signing using a PGP secret key.
+ *
+ * @param keyInputStream input stream containing the secret key.
+ * @param keyProtector protector to unlock the secret key.
+ * @return builder
+ * @throws IOException if the key cannot be parsed
+ */
+ public Builder setSigning(final InputStream keyInputStream,
+ final SecretKeyRingProtector keyProtector)
+ throws IOException {
+ return setSigning(keyInputStream, keyProtector, 0);
+ }
+
+ /**
+ * Enable signing using a PGP secret key.
+ *
+ * @param keyInputStream input stream containing the secret key.
+ * @param keyProtector protector to unlock the secret key.
+ * @param keyId ID of the signing subkey, or 0 for auto-detect
+ * @return builder
+ * @throws IOException if the key cannot be parsed
+ */
+ public Builder setSigning(final InputStream keyInputStream,
+ final SecretKeyRingProtector keyProtector,
+ final long keyId)
+ throws IOException {
+ PGPSecretKeyRing secretKeys = PgpHelper.loadSecretKeyRing(keyInputStream);
+ return setSigning(secretKeys, keyProtector, keyId);
+ }
+
+ /**
+ * Apply PGP signing to the data stream.
+ *
+ * @param signingStreamCreator function that wraps the output stream into a
+ * signing stream.
+ * @return builder
+ */
+ public Builder setSigning(final Function signingStreamCreator) {
+ this.signingStreamCreator = signingStreamCreator;
+ return this;
+ }
+
public RepositoryCreator build() {
return new RepositoryCreator(this.target, this.xmlContext == null ? new DefaultXmlContext() : this.xmlContext, this.signingStreamCreator);
}
diff --git a/rpm/src/test/java/org/eclipse/packager/rpm/WriterTest.java b/rpm/src/test/java/org/eclipse/packager/rpm/WriterTest.java
index cc2977a..6707bb1 100644
--- a/rpm/src/test/java/org/eclipse/packager/rpm/WriterTest.java
+++ b/rpm/src/test/java/org/eclipse/packager/rpm/WriterTest.java
@@ -41,7 +41,7 @@
import org.eclipse.packager.rpm.deps.RpmDependencyFlags;
import org.eclipse.packager.rpm.header.Header;
import org.eclipse.packager.rpm.parse.RpmInputStream;
-import org.eclipse.packager.rpm.signature.RsaHeaderSignatureProcessor;
+import org.eclipse.packager.rpm.signature.PgpHeaderSignatureProcessor;
import org.eclipse.packager.security.pgp.PgpHelper;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
@@ -194,7 +194,10 @@ public void test3() throws IOException, PGPException {
if (keyId != null && keyChain != null) {
try (InputStream stream = Files.newInputStream(Paths.get(keyChain))) {
- builder.addSignatureProcessor(new RsaHeaderSignatureProcessor(PgpHelper.loadPrivateKey(stream, keyId, keyPassphrase), HashAlgorithm.from(System.getProperty("writerTest.hashAlgo"))));
+ builder.addSignatureProcessor(new PgpHeaderSignatureProcessor(
+ PgpHelper.loadSecretKeyRing(stream),
+ PgpHelper.protectorFromPassword(keyPassphrase),
+ PgpHelper.parseKeyId(keyId)));
}
}
diff --git a/rpm/src/test/java/org/eclipse/packager/rpm/signature/RpmFileSignatureProcessorTest.java b/rpm/src/test/java/org/eclipse/packager/rpm/signature/RpmFileSignatureProcessorTest.java
index a3931cb..36d742c 100644
--- a/rpm/src/test/java/org/eclipse/packager/rpm/signature/RpmFileSignatureProcessorTest.java
+++ b/rpm/src/test/java/org/eclipse/packager/rpm/signature/RpmFileSignatureProcessorTest.java
@@ -8,8 +8,8 @@
* SPDX-License-Identifier: EPL-2.0
*
* Contributors:
- * mat1e, Groupe EDF - initial API and implementation
- * Jens Reimann, Red Hat, Inc
+ * mat1e, Groupe EDF - initial API and implementation
+ * Jens Reimann, Red Hat, Inc
********************************************************************************/
package org.eclipse.packager.rpm.signature;
@@ -28,7 +28,6 @@
import java.util.Optional;
import org.bouncycastle.openpgp.PGPException;
-import org.eclipse.packager.rpm.HashAlgorithm;
import org.eclipse.packager.rpm.RpmSignatureTag;
import org.eclipse.packager.rpm.Rpms;
import org.eclipse.packager.rpm.parse.InputHeader;
@@ -74,9 +73,9 @@ public void testSigningExistingRpm() throws IOException, PGPException {
signedRpm.createNewFile();
try (FileOutputStream resultOut = new FileOutputStream(signedRpm);
- InputStream privateKeyStream = new FileInputStream(private_key)) {
+ InputStream privateKeyStream = new FileInputStream(private_key)) {
// Sign the RPM
- RpmFileSignatureProcessor.perform(rpm, privateKeyStream, passPhrase, resultOut, HashAlgorithm.SHA256);
+ RpmFileSignatureProcessor.perform(rpm, privateKeyStream, passPhrase, resultOut);
// Read the initial (unsigned) rpm file
RpmInputStream initialRpm = new RpmInputStream(new FileInputStream(rpm));
@@ -130,7 +129,8 @@ public void verifyRpmSignature() throws Exception {
String publicKeyName = publicKey.getName();
String rpmFileName = signedRpm.getName();
- // prepare the script for validating the signature, this includes importing the key and running a verbose check
+ // prepare the script for validating the signature, this includes importing the
+ // key and running a verbose check
String script = String.format("rpm --import /%s && rpm --verbose --checksig /%s", publicKeyName, rpmFileName);
// SElinux labeling
@@ -142,14 +142,14 @@ public void verifyRpmSignature() throws Exception {
}
});
-
- // create the actual command, which we run inside a container, to not mess up the host systems RPM configuration and
+ // create the actual command, which we run inside a container, to not mess up
+ // the host systems RPM configuration and
// because this gives us a predictable RPM version.
String[] command = new String[] {
- CONTAINER, "run", "-tiq", "--rm",
- "-v", publicKey + ":/" + publicKeyName + mountSuffix,
- "-v", signedRpm + ":/" + rpmFileName + mountSuffix,
- "registry.access.redhat.com/ubi9/ubi-minimal:latest", "bash", "-c", script
+ CONTAINER, "run", "-tiq", "--rm",
+ "-v", publicKey + ":/" + publicKeyName + mountSuffix,
+ "-v", signedRpm + ":/" + rpmFileName + mountSuffix,
+ "registry.access.redhat.com/ubi9/ubi-minimal:latest", "bash", "-c", script
};
// dump command for local testing
@@ -176,7 +176,7 @@ private static void dumpCommand(String[] command) {
private static String run(String... command) throws IOException, InterruptedException {
Process process = new ProcessBuilder(command)
- .start();
+ .start();
String stdout = new String(ByteStreams.toByteArray(process.getInputStream()));
process.waitFor();
return stdout;