diff --git a/src/main/java/org/simplify4u/plugins/PGPVerifyMojo.java b/src/main/java/org/simplify4u/plugins/PGPVerifyMojo.java index a2b90a03..8d907e48 100644 --- a/src/main/java/org/simplify4u/plugins/PGPVerifyMojo.java +++ b/src/main/java/org/simplify4u/plugins/PGPVerifyMojo.java @@ -21,7 +21,6 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; -import java.io.InputStream; import java.util.Arrays; import java.util.LinkedList; import java.util.List; @@ -48,13 +47,9 @@ import org.apache.maven.settings.Proxy; import org.apache.maven.settings.Settings; import org.bouncycastle.openpgp.PGPException; -import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPSignature; -import org.bouncycastle.openpgp.PGPSignatureList; -import org.bouncycastle.openpgp.PGPUtil; -import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator; import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider; import org.codehaus.plexus.resource.loader.ResourceNotFoundException; import org.simplify4u.plugins.ArtifactResolver.Configuration; @@ -441,13 +436,10 @@ private boolean verifyPGPSignature(Artifact artifact, Artifact ascArtifact) thro getLog().debug("Artifact sign: " + signatureFile); try { - InputStream sigInputStream = PGPUtil.getDecoderStream(new FileInputStream(signatureFile)); - PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(sigInputStream, new BcKeyFingerprintCalculator()); - PGPSignatureList sigList = (PGPSignatureList) pgpObjectFactory.nextObject(); - if (sigList == null) { - throw new MojoFailureException("Invalid signature file: " + signatureFile); + final PGPSignature pgpSignature; + try (FileInputStream input = new FileInputStream(signatureFile)) { + pgpSignature = PGPSignatureUtils.loadSignature(input); } - PGPSignature pgpSignature = sigList.get(0); if (weakSignatures.containsKey(pgpSignature.getHashAlgorithm())) { final String logMessageWeakSignature = "Weak signature algorithm used: " diff --git a/src/main/java/org/simplify4u/plugins/utils/PGPSignatureUtils.java b/src/main/java/org/simplify4u/plugins/utils/PGPSignatureUtils.java index 0ae32266..6848c546 100644 --- a/src/main/java/org/simplify4u/plugins/utils/PGPSignatureUtils.java +++ b/src/main/java/org/simplify4u/plugins/utils/PGPSignatureUtils.java @@ -18,13 +18,18 @@ package org.simplify4u.plugins.utils; +import org.bouncycastle.openpgp.PGPObjectFactory; import org.bouncycastle.openpgp.PGPSignature; +import org.bouncycastle.openpgp.PGPSignatureList; +import org.bouncycastle.openpgp.PGPUtil; +import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator; import java.io.BufferedInputStream; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.net.ProtocolException; /** * Utilities for PGP Signature class. @@ -35,6 +40,20 @@ private PGPSignatureUtils() { // No need to instantiate utility class. } + public static PGPSignature loadSignature(InputStream input) throws IOException { + InputStream sigInputStream = PGPUtil.getDecoderStream(input); + PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(sigInputStream, new BcKeyFingerprintCalculator()); + Object object = pgpObjectFactory.nextObject(); + if (!(object instanceof PGPSignatureList)) { + throw new ProtocolException("File content is not a PGP signature."); + } + PGPSignatureList siglist = (PGPSignatureList) object; + if (siglist.isEmpty()) { + throw new ProtocolException("PGP signature list is empty."); + } + return siglist.get(0); + } + /** * Read the content of a file into the PGP signature instance (for verification). * diff --git a/src/test/java/org/simplify4u/plugins/utils/PGPSignatureUtilsTest.java b/src/test/java/org/simplify4u/plugins/utils/PGPSignatureUtilsTest.java new file mode 100644 index 00000000..a096a28d --- /dev/null +++ b/src/test/java/org/simplify4u/plugins/utils/PGPSignatureUtilsTest.java @@ -0,0 +1,34 @@ +package org.simplify4u.plugins.utils; + +import org.bouncycastle.openpgp.PGPSignature; +import org.testng.annotations.Test; + +import java.io.IOException; +import java.net.ProtocolException; + +import static org.testng.Assert.assertEquals; + +public class PGPSignatureUtilsTest { + + @Test(expectedExceptions = NullPointerException.class) + public void testLoadSignatureNull() throws IOException { + PGPSignatureUtils.loadSignature(null); + } + + @Test(expectedExceptions = ProtocolException.class) + public void testLoadSignatureNoContent() throws IOException { + PGPSignatureUtils.loadSignature(getClass().getResourceAsStream("/empty.asc")); + } + + @Test(expectedExceptions = ProtocolException.class) + public void testLoadSignatureContentNotSignature() throws IOException { + PGPSignatureUtils.loadSignature(getClass().getResourceAsStream("/3D8B00E198E21827.asc")); + } + + @Test + public void testLoadSignatureContentIsSignature() throws IOException { + PGPSignature signature = PGPSignatureUtils.loadSignature( + getClass().getResourceAsStream("/helloworld-1.0.jar.asc")); + assertEquals(signature.getKeyID(), 0x9F1A263E15FD0AC9L); + } +} \ No newline at end of file diff --git a/src/test/resources/empty.asc b/src/test/resources/empty.asc new file mode 100644 index 00000000..e69de29b diff --git a/src/test/resources/helloworld-1.0.jar.asc b/src/test/resources/helloworld-1.0.jar.asc new file mode 100644 index 00000000..36f42140 --- /dev/null +++ b/src/test/resources/helloworld-1.0.jar.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEERmWD+UgOviRixGswnxomPhX9CskFAl6+yzwACgkQnxomPhX9 +CslwWAf+IsAeoaZC0yo38k1PZ58IAeHQP9iavrfZ4LMCMxFacXmBGZF4SVniBmZ3 +o7gaQpp+EYi7LikfBDphX0iNchSn/7jGlDq8eK12JCeoyD7s0rYAYu94itQSPuvE +MZWDD//C0pGNSoK14EZB4TdzE2Ey87+lXqBd2NKNdmSTntL+ijyOPZRMTsLs7o6F +cEwRJQ1T2i26/uC2dpiQ4qelk/bo0eZM/BjJp6DZqjmh4CZDaY/vMTxrM5v7LNVE +4ChAcuu3V8oiNMgWicXFRGHNqyEMrJUM6f7yx325si7ziH3l/CL1iGymVt1DdLzq +3R/QK/dX6YGYEUjJJbxWmx7DTc3HDA== +=DNhd +-----END PGP SIGNATURE-----