Commit fda929a

committed

Greatly simplified SignatureVerifier and removed some resource-leaks

1 parent 7198574 commit fda929aCopy full SHA for fda929a

File tree

2 files changed

+50

-62

lines changed

app/test/cc/arduino/contributions
- GPGDetachedSignatureVerifierTest.java
arduino-core/src/cc/arduino/contributions
- SignatureVerifier.java

2 files changed

+50

-62

lines changed

`‎app/test/cc/arduino/contributions/GPGDetachedSignatureVerifierTest.java‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -44,22 +44,22 @@ public class GPGDetachedSignatureVerifierTest {`
`44`	`44`	`@Before`
`45`	`45`	`public void setUp() throws Exception {`
`46`	`46`	`verifier = new SignatureVerifier();`
	`47`	`+ File keyRingFile = new File(GPGDetachedSignatureVerifierTest.class.getResource("./test.public.gpg.key").getFile());`
	`48`	`+ verifier.setKeyRingFile(keyRingFile);`
`47`	`49`	`}`
`48`	`50`
`49`	`51`	`@Test`
`50`	`52`	`public void testSignatureSuccessfulVerification() throws Exception {`
`51`	`53`	`File signedFile = new File(GPGDetachedSignatureVerifierTest.class.getResource("./package_index.json").getFile());`
`52`	`54`	`File sign = new File(GPGDetachedSignatureVerifierTest.class.getResource("./package_index.json.sig").getFile());`
`53`		`- File publickKey = new File(GPGDetachedSignatureVerifierTest.class.getResource("./test.public.gpg.key").getFile());`
`54`		`- assertTrue(verifier.verify(signedFile, sign, publickKey));`
	`55`	`+ assertTrue(verifier.verify(signedFile, sign));`
`55`	`56`	`}`
`56`	`57`
`57`	`58`	`@Test`
`58`	`59`	`public void testSignatureFailingVerification() throws Exception {`
`59`	`60`	`File fakeSignedFile = File.createTempFile("fakeSigned", "txt");`
`60`	`61`	`fakeSignedFile.deleteOnExit();`
`61`	`62`	`File sign = new File(GPGDetachedSignatureVerifierTest.class.getResource("./package_index.json.sig").getFile());`
`62`		`- File publickKey = new File(GPGDetachedSignatureVerifierTest.class.getResource("./test.public.gpg.key").getFile());`
`63`		`- assertFalse(verifier.verify(fakeSignedFile, sign, publickKey));`
	`63`	`+ assertFalse(verifier.verify(fakeSignedFile, sign));`
`64`	`64`	`}`
`65`	`65`	`}`

`‎arduino-core/src/cc/arduino/contributions/SignatureVerifier.java‎`

Lines changed: 46 additions & 58 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,26 +29,34 @@`
`29`	`29`
`30`	`30`	`package cc.arduino.contributions;`
`31`	`31`
	`32`	`+import java.io.File;`
	`33`	`+import java.io.FileInputStream;`
	`34`	`+import java.io.IOException;`
	`35`	`+import java.io.InputStream;`
	`36`	`+`
`32`	`37`	`import org.apache.commons.compress.utils.IOUtils;`
`33`		`-import org.bouncycastle.openpgp.*;`
	`38`	`+import org.bouncycastle.openpgp.PGPException;`
	`39`	`+import org.bouncycastle.openpgp.PGPObjectFactory;`
	`40`	`+import org.bouncycastle.openpgp.PGPPublicKey;`
	`41`	`+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;`
	`42`	`+import org.bouncycastle.openpgp.PGPSignature;`
	`43`	`+import org.bouncycastle.openpgp.PGPSignatureList;`
	`44`	`+import org.bouncycastle.openpgp.PGPUtil;`
`34`	`45`	`import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;`
`35`	`46`	`import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;`
`36`	`47`
`37`	`48`	`import processing.app.BaseNoGui;`
`38`	`49`
`39`		`-import java.io.*;`
`40`		`-import java.util.Iterator;`
`41`		`-`
`42`	`50`	`public class SignatureVerifier {`
`43`	`51`
`44`		`- private StringkeyId;`
	`52`	`+ private FilekeyRingFile;`
`45`	`53`
`46`	`54`	`public SignatureVerifier() {`
`47`		`- this("7F294291");`
	`55`	`+ keyRingFile = newFile(BaseNoGui.getContentFile("lib"), "public.gpg.key");`
`48`	`56`	`}`
`49`	`57`
`50`		`- public SignatureVerifier(StringkeyId) {`
`51`		`- this.keyId = keyId;`
	`58`	`+ public voidsetKeyRingFile(FilekeyRingFile) {`
	`59`	`+ this.keyRingFile = keyRingFile;`
`52`	`60`	`}`
`53`	`61`
`54`	`62`	`public boolean isSigned(File indexFile) {`
`@@ -58,7 +66,7 @@ public boolean isSigned(File indexFile) {`
`58`	`66`	`}`
`59`	`67`
`60`	`68`	`try {`
`61`		`- return verify(indexFile, signature, newFile(BaseNoGui.getContentFile("lib"), "public.gpg.key"));`
	`69`	`+ return verify(indexFile, signature);`
`62`	`70`	`} catch (Exception e) {`
`63`	`71`	`BaseNoGui.showWarning(e.getMessage(), e.getMessage(), e);`
`64`	`72`	`return false;`
`@@ -67,76 +75,56 @@ public boolean isSigned(File indexFile) {`
`67`	`75`
`68`	`76`	`public boolean isSigned(File indexFile, File signature) {`
`69`	`77`	`try {`
`70`		`- return verify(indexFile, signature, newFile(BaseNoGui.getContentFile("lib"), "public.gpg.key"));`
	`78`	`+ return verify(indexFile, signature);`
`71`	`79`	`} catch (Exception e) {`
`72`	`80`	`BaseNoGui.showWarning(e.getMessage(), e.getMessage(), e);`
`73`	`81`	`return false;`
`74`	`82`	`}`
`75`	`83`	`}`
`76`	`84`
`77`		`- protected boolean verify(File signedFile, File signature, File publicKey) throws IOException {`
`78`		`- FileInputStream signatureInputStream = null;`
`79`		`- FileInputStream signedFileInputStream = null;`
	`85`	`+ protected boolean verify(File signedFile, File signatureFile) throws IOException {`
`80`	`86`	`try {`
`81`		`- signatureInputStream = new FileInputStream(signature);`
`82`		`- PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(signatureInputStream, new BcKeyFingerprintCalculator());`
`83`		`-`
`84`		`- Object nextObject;`
`85`		`- try {`
`86`		`- nextObject = pgpObjectFactory.nextObject();`
`87`		`- if (!(nextObject instanceof PGPSignatureList)) {`
	`87`	`+ // Read signature from signatureFile`
	`88`	`+ PGPSignature signature;`
	`89`	`+ try (FileInputStream in = new FileInputStream(signatureFile)) {`
	`90`	`+ PGPObjectFactory objFactory = new PGPObjectFactory(in, new BcKeyFingerprintCalculator());`
	`91`	`+ Object obj = objFactory.nextObject();`
	`92`	`+ if (!(obj instanceof PGPSignatureList)) {`
	`93`	`+ return false;`
	`94`	`+ }`
	`95`	`+ PGPSignatureList signatureList = (PGPSignatureList) obj;`
	`96`	`+ if (signatureList.size() != 1) {`
`88`	`97`	`return false;`
`89`	`98`	`}`
`90`		`- } catch (IOException e) {`
	`99`	`+ signature = signatureList.get(0);`
	`100`	`+ } catch (Exception e) {`
`91`	`101`	`return false;`
`92`	`102`	`}`
`93`		`- PGPSignatureList pgpSignatureList = (PGPSignatureList) nextObject;`
`94`		`- assert pgpSignatureList.size() == 1;`
`95`		`- PGPSignature pgpSignature = pgpSignatureList.get(0);`
`96`		`-`
`97`		`- PGPPublicKey pgpPublicKey = readPublicKey(publicKey, keyId);`
`98`	`103`
`99`		`- pgpSignature.init(new BcPGPContentVerifierBuilderProvider(), pgpPublicKey);`
`100`		`- signedFileInputStream = new FileInputStream(signedFile);`
`101`		`- pgpSignature.update(IOUtils.toByteArray(signedFileInputStream));`
	`104`	`+ // Extract public key from keyring`
	`105`	`+ PGPPublicKey pgpPublicKey = readPublicKey(signature.getKeyID());`
`102`	`106`
`103`		`- return pgpSignature.verify();`
	`107`	`+ // Check signature`
	`108`	`+ signature.init(new BcPGPContentVerifierBuilderProvider(), pgpPublicKey);`
	`109`	`+ try (FileInputStream in = new FileInputStream(signedFile)) {`
	`110`	`+ signature.update(IOUtils.toByteArray(in));`
	`111`	`+ return signature.verify();`
	`112`	`+ }`
`104`	`113`	`} catch (PGPException e) {`
`105`	`114`	`throw new IOException(e);`
`106`		`- } finally {`
`107`		`- IOUtils.closeQuietly(signatureInputStream);`
`108`		`- IOUtils.closeQuietly(signedFileInputStream);`
`109`	`115`	`}`
`110`	`116`	`}`
`111`	`117`
`112`		`- private PGPPublicKey readPublicKey(File file, String id) throws IOException, PGPException {`
`113`		`- InputStream keyIn = null;`
`114`		`- try {`
`115`		`- keyIn = new BufferedInputStream(new FileInputStream(file));`
`116`		`- return readPublicKey(keyIn, id);`
`117`		`- } finally {`
`118`		`- IOUtils.closeQuietly(keyIn);`
`119`		`- }`
`120`		`- }`
`121`		`-`
`122`		`- private PGPPublicKey readPublicKey(InputStream input, String id) throws IOException, PGPException {`
`123`		`- PGPPublicKeyRingCollection pgpPub = new PGPPublicKeyRingCollection(PGPUtil.getDecoderStream(input), new BcKeyFingerprintCalculator());`
`124`		`-`
`125`		`- Iterator<PGPPublicKeyRing> keyRingIter = pgpPub.getKeyRings();`
`126`		`- while (keyRingIter.hasNext()) {`
`127`		`- PGPPublicKeyRing keyRing = keyRingIter.next();`
	`118`	`+ private PGPPublicKey readPublicKey(long id) throws IOException, PGPException {`
	`119`	`+ try (InputStream in = PGPUtil.getDecoderStream(new FileInputStream(keyRingFile))) {`
	`120`	`+ PGPPublicKeyRingCollection pubRing = new PGPPublicKeyRingCollection(in, new BcKeyFingerprintCalculator());`
`128`	`121`
`129`		`- Iterator<PGPPublicKey> keyIter = keyRing.getPublicKeys();`
`130`		`- while (keyIter.hasNext()) {`
`131`		`- PGPPublicKey key = keyIter.next();`
`132`		`-`
`133`		`- if (Long.toHexString(key.getKeyID()).toUpperCase().endsWith(id)) {`
`134`		`- return key;`
`135`		`- }`
	`122`	`+ PGPPublicKey publicKey = pubRing.getPublicKey(id);`
	`123`	`+ if (publicKey == null) {`
	`124`	`+ throw new IllegalArgumentException("Can't find public key in key ring.");`
`136`	`125`	`}`
	`126`	`+ return publicKey;`
`137`	`127`	`}`
`138`		`-`
`139`		`- throw new IllegalArgumentException("Can't find encryption key in key ring.");`
`140`	`128`	`}`
`141`	`129`
`142`	`130`	`}`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit fda929a

File tree

2 files changed

2 files changed

`‎app/test/cc/arduino/contributions/GPGDetachedSignatureVerifierTest.java‎`

`‎arduino-core/src/cc/arduino/contributions/SignatureVerifier.java‎`

0 commit comments