Added PGP clearsign verifier

cmaglie · cmaglie · commit 7c3b3a6394b7 · 2020-03-31T11:30:07.000+02:00
diff --git a/app/test/cc/arduino/contributions/SignatureVerifierTest.java b/app/test/cc/arduino/contributions/SignatureVerifierTest.java
@@ -29,13 +29,13 @@
 
 package cc.arduino.contributions;
 
-import org.junit.Before;
-import org.junit.Test;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 
 import java.io.File;
 
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
+import org.junit.Before;
+import org.junit.Test;
 
 public class SignatureVerifierTest {
 
@@ -62,4 +62,24 @@ public void testSignatureFailingVerification() throws Exception {
     File sign = new File(SignatureVerifierTest.class.getResource("./package_index.json.sig").getFile());
     assertFalse(verifier.verify(fakeSignedFile, sign));
   }
+
+  @Test
+  public void testClearTextSignatureVerification() throws Exception {
+    File signedFile = new File(SignatureVerifierTest.class.getResource("./text.txt.asc").getFile());
+    assertTrue(verifier.verifyCleartextSignature(signedFile));
+    File signedFile2 = new File(SignatureVerifierTest.class.getResource("./escaped-text.txt.asc").getFile());
+    assertTrue(verifier.verifyCleartextSignature(signedFile2));
+    File oneBlankLines = new File(SignatureVerifierTest.class.getResource("./one-blank-line.txt.asc").getFile());
+    assertTrue(verifier.verifyCleartextSignature(oneBlankLines));
+    File twoBlankLines = new File(SignatureVerifierTest.class.getResource("./two-blank-lines.txt.asc").getFile());
+    assertTrue(verifier.verifyCleartextSignature(twoBlankLines));
+    File noBlankLines = new File(SignatureVerifierTest.class.getResource("./no-blank-lines.txt.asc").getFile());
+    assertTrue(verifier.verifyCleartextSignature(noBlankLines));
+  }
+
+  @Test
+  public void testClearTextSignatureFailingVerification() throws Exception {
+    File signedFile = new File(SignatureVerifierTest.class.getResource("./wrong-text.txt.asc").getFile());
+    assertFalse(verifier.verifyCleartextSignature(signedFile));
+  }
 }
diff --git a/app/test/cc/arduino/contributions/escaped-text.txt.asc b/app/test/cc/arduino/contributions/escaped-text.txt.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- -
+- - 
+- - abc
+- -- abc
+helllo!!!!
+
+
+
+
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEMmVnwcayiN8yywYalfpvQ+IRiMQFAl6CcaUACgkQlfpvQ+IR
+iMQD9w/+KA2ZusmFnpt7dXTy/6ohNCijMp3pFSVsBzGWBDpGJjYfwek2N8HssXIa
+Tq0uzCiTm1Z4kn+SWjIHxKzdihUi9mwkMCqdhNTZN0+FKXc+c358KUYXOlyigOmX
+256bG7Ep2P/3ZBzhvVC5WKLIwYhq6cj9fSnt26XP02qt/9ztczGJHDpEfIhPA0LI
+PYnUUo4KftQzHp41EPENIyLTkT1YzhypnIHCv2mG8qql+W9blx1eO8gIUGmzQQ0y
+CnTY0AIvmrAGd5WQWwKpKy5aLpWDmIW/zSSoDc7jC74i2V6n5Y+Fqq++SVDvIApd
+yP+BmL6pDfZf9cV8nDQOI9Jd+/JT3tUct5js9lDhj74g1ZGobx06kZPv/ojbSE42
+jJi75HQ3NDG8dBDMtYzrDeO0QhcpT94LNTdZ8IdR5jCf3I9SkpHB6sb27elVgcBb
+stXLRhrf0se2U2pI3CGDkjumm04cDOhY9tLt2CHMlL9yl9LZejyT3xUoLGAy1Ird
+Jw6knZM5O/bWzFq1bxlqgz6EspafNy+ZM8/1s+b9ecxKkds7UEZLpOVd+QYMO6i1
+lxm4ZQqRoTiIcVxzhwChd41zxPw9bMNq03prBMnetJ9tvb76qgGcCvRh/ANYWBfa
+2zeH3UGaOyMB79oKOSw0qzXkFA+0qXzROObVWTzjGOPZJtkfaA8=
+=BqjQ
+-----END PGP SIGNATURE-----
diff --git a/app/test/cc/arduino/contributions/no-blank-lines.txt.asc b/app/test/cc/arduino/contributions/no-blank-lines.txt.asc
@@ -0,0 +1,20 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+hello
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEMmVnwcayiN8yywYalfpvQ+IRiMQFAl6C/AsACgkQlfpvQ+IR
+iMQYUA//SEHkb60xiXyP8TfTfxiJORr7ltvLtL7N9IwpnrkeKdvvrxC71O5U4kdf
+Ek5XUALXUPArWJHByKBZ3saQapRPMUNbsLDG9QqtIffORqgPnfPAgMiGYceIaT1o
+QChspIQRL6xt6k8c6o2M5R7CBMjiDqaldpJHsq3kcjcgHBmJFPdDdhjA2D9s4mCo
+nymy3PqLcZ4RARrED61VlF4hcVHv5BHPnDZDXug3oGiR2EQTpdQgvBg/rL2xiVHl
+MgZ6/5owF6omeNM30JNPQfNdDnV2jDhxILfjY2Rqyj9zClrnZB6qox6h1RoSKIFy
+UkBUAs3WapZMqR2UKq3K7dL8cqUKoOFdSpd/R2T4ZBC/6exiwVnbDGa161ur8f4/
+55RxAe/VE+75bC7HI3jNAUn7xGMUGBWgTKh+xTnyh50BHifmCIzyLOgRWds/rvMH
+PT0fmtbTWhjrJOfuhi15uSJ0Lvq/XuM/z/aIgeZHaIBnIxvRYUOdP6Rz1xKHmc2q
++puI2FxpbENUyt8TNlrnHJeq72UubVIRJ08CE2iiuWjP+1jFxPYA1tWBYrqtbK7y
+2ZPq5c+vy8LMij/SfZkeOa388Ss3lXr5CTJ+O2VMLellyCdUd0G47T26umCr6zaF
+jX1huU0rfA+vGLVfr1Z2nexX0r7kwebkz/PWIO1+Kc41gBY+cek=
+=Rejh
+-----END PGP SIGNATURE-----
diff --git a/app/test/cc/arduino/contributions/one-blank-line.txt.asc b/app/test/cc/arduino/contributions/one-blank-line.txt.asc
@@ -0,0 +1,21 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+hello
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEMmVnwcayiN8yywYalfpvQ+IRiMQFAl6C/E8ACgkQlfpvQ+IR
+iMS/iA/+KxhaOTokmXTKgSkZwaCdPwTIdcfIVWMsK6mxXcSeWtmQpCxMyH3sudaA
+MvVg8qMHTTiYbFD5TMBF79Eu3nJuLemnm7WbpQMAQ7/Ay8qDrH6MIIqeR6TLa6CO
+VQw2a9H3AoqVxBtH0y6vVk+mOnr8NnZA3XoT0B2TuLApqY4uFt9quHBkrycHdXve
+6++EyiYeDgY6oG1bAR0S/peFhCL45CId9xJe5RIHT7aFoDKw78LPcfoTLdKCtzzE
+CdX1IpzP/tOVlv0LTNPWQQeRQ07BKpquQnQbzuAgVFbLf27kI2e+AxjIdmozEjO9
+rk9Za0tpKYCYT5lF9zfmaCWzkhTfrjB8OPXWYHjozzv4aUhfvgQ+TF9dynWU4ct8
+ACRkb+bp+ENZVy0/1VdDDs3wrFnMHuZyrBWXNI8sBu6f1JSG4ddgy7NfPveOJEdG
+wg/4mxzSnBQ7jogRaJLioC+mjxulmN1FCoDMwphOLkmaIX1qIL3OxkEBfSzpfkfe
+wAYhjSqLHHXwx0W0resDahC2L81gBnTbf0yP1jEWjnSs96AqwvLSAj0gyC4BtVoN
+LSgYDFeNitoBMDx8osi0KjLydOzbQW9L5u//Rm/Q/8/p7+4u/X3X8EWHULHIsrRW
+T9M6jun8zTr9OLAk9W1T76Yu2Wyu+ps6f6iAeSlvqTTpr3+j2W4=
+=0JE+
+-----END PGP SIGNATURE-----
diff --git a/app/test/cc/arduino/contributions/text.txt.asc b/app/test/cc/arduino/contributions/text.txt.asc
@@ -0,0 +1,21 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+helllo!!!!
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEMmVnwcayiN8yywYalfpvQ+IRiMQFAl6CPtwACgkQlfpvQ+IR
+iMS8AA//dCIbYCPwTdOFf3YRFO2Z7YSgAgEpctcH1UW9IaZpGlfZDqiskgNT5zWx
+ooW0EqVagyyY+1Fips4a52/urQmbQ+0RIU6r4zDUvyMoN/f41jFKd1eY365oqORo
+G5avMFhZ7PwbYXKhDeVQrDCRSYSvWYyRXH97VpFvo/SSuvB7KWvlTFFK9rt1xysx
+rjikCqMWuPeReSclLCMCGQGjcJExNsu7E9l55NcJMOP8a3yVlY9b1LwH5nuVXOfw
+UvSzHK2K16O3COb0otWN8VZHB0x2y3Y1boIF2J/Wt9zBaB/d4cmacwL4KLHiw7KR
+q5YzDfEpmwMM9S5QLsLPYBWr9B1XSQ+PrylPSha1NnDStr/RkFtwVsags3igJu5E
+Ye+aJra6D/VREFc/IQYsEmcDHYdKp3CNJn/BdNwTDI4BIdj4lBDd6lVrcL+Id8pl
+ivdk1bV/575eTH9cDf65aF/lmd/z6dGNLcke4N76n8g/xjAuSkN7FDm91KGv9oCJ
+e0eO0+GDJbfMHz61vQ1DPfUWqyQLC3z9OeX+bUvqSb1Xy9i2OI0FlY3GMtwDONto
+qShjcbeXXYt74bINsAEV78pSoYPHc2rYco1/qrAL1bYY9Hngy3FvgD7mVNd7nC/J
+buFQ4Ek07urJpA9lw8o/z49O7iGisc8UXuPeHY2z7LmUuCvKpKI=
+=DKVh
+-----END PGP SIGNATURE-----
diff --git a/app/test/cc/arduino/contributions/two-blank-lines.txt.asc b/app/test/cc/arduino/contributions/two-blank-lines.txt.asc
@@ -0,0 +1,22 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+hello
+
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEMmVnwcayiN8yywYalfpvQ+IRiMQFAl6C/H8ACgkQlfpvQ+IR
+iMQD9RAAk34n7WegdXdreKLU5nAkx9/lcPwZYRcwTeV6pgroxQ3XuC3oEqUwDQtD
+RLT+Gc+1j7XMGxTIJtHhpwpJk2IeT5x/lfqpMwpHoJUEOA/QZ7YtUTUj5aqc3bJV
+QEWXrNyceqaYkUguR7gk0ahtniTuaj9WaixRpxiu9+AMht74g0iZm99h2fpgiIb1
+7M2SdMbmyW1mK7BFN9Cghz/8NedV6TeKpQnWWpN+hdO1fsjGIVRNRfTMod7gL6QK
+KhPa3eQW+yxlEshKZwQJwIe3vcgquK6bAl/p20EU7+2ytnFd3zBhcCFJtC6fV+zF
+s89BOAoAJPRaBKbQp01IsBB5mNZUxKFOa+e94tFLmaaI7KhHB7oQ7Qnx+hTgq7bG
+9PRza0bHMkBPumACM8FNjOlzJNY5eTnfDcAq2kgaAdoX5LFLrIiYUNtz9gmIIHNj
+xekG9LB3WUv013jPSOUnbmGkch0VvVgFvcsOtGWTHp+VlZLOWZjXkO+Cco2qWcVr
+F7ckPTXs+nzoOTVsYZLfN8g92y2sT548+Q9bCtT1QStGCSTyNF1o0JW9Ih1hsSkn
+qJVgo8wGO45mTT4GJ6VWUkFkAjoaZM14F70CJp0eLw5PSxDIkSsmkL7CYwGeA+6N
+UtKIJ1ZoFMElW5bMuSayLEjtC9RkGILjplkiFY+h7gJd/vitTvI=
+=g/9c
+-----END PGP SIGNATURE-----
diff --git a/app/test/cc/arduino/contributions/wrong-text.txt.asc b/app/test/cc/arduino/contributions/wrong-text.txt.asc
@@ -0,0 +1,21 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+!!helllo!!!!
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEMmVnwcayiN8yywYalfpvQ+IRiMQFAl6CPtwACgkQlfpvQ+IR
+iMS8AA//dCIbYCPwTdOFf3YRFO2Z7YSgAgEpctcH1UW9IaZpGlfZDqiskgNT5zWx
+ooW0EqVagyyY+1Fips4a52/urQmbQ+0RIU6r4zDUvyMoN/f41jFKd1eY365oqORo
+G5avMFhZ7PwbYXKhDeVQrDCRSYSvWYyRXH97VpFvo/SSuvB7KWvlTFFK9rt1xysx
+rjikCqMWuPeReSclLCMCGQGjcJExNsu7E9l55NcJMOP8a3yVlY9b1LwH5nuVXOfw
+UvSzHK2K16O3COb0otWN8VZHB0x2y3Y1boIF2J/Wt9zBaB/d4cmacwL4KLHiw7KR
+q5YzDfEpmwMM9S5QLsLPYBWr9B1XSQ+PrylPSha1NnDStr/RkFtwVsags3igJu5E
+Ye+aJra6D/VREFc/IQYsEmcDHYdKp3CNJn/BdNwTDI4BIdj4lBDd6lVrcL+Id8pl
+ivdk1bV/575eTH9cDf65aF/lmd/z6dGNLcke4N76n8g/xjAuSkN7FDm91KGv9oCJ
+e0eO0+GDJbfMHz61vQ1DPfUWqyQLC3z9OeX+bUvqSb1Xy9i2OI0FlY3GMtwDONto
+qShjcbeXXYt74bINsAEV78pSoYPHc2rYco1/qrAL1bYY9Hngy3FvgD7mVNd7nC/J
+buFQ4Ek07urJpA9lw8o/z49O7iGisc8UXuPeHY2z7LmUuCvKpKI=
+=DKVh
+-----END PGP SIGNATURE-----
diff --git a/arduino-core/src/cc/arduino/contributions/SignatureVerifier.java b/arduino-core/src/cc/arduino/contributions/SignatureVerifier.java
@@ -31,17 +31,20 @@
 
 import java.io.File;
 import java.io.FileInputStream;
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 
 import org.apache.commons.compress.utils.IOUtils;
+import org.bouncycastle.bcpg.ArmoredInputStream;
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.PGPSignature;
 import org.bouncycastle.openpgp.PGPSignatureList;
 import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
 import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
 import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
 
@@ -127,4 +130,70 @@ private PGPPublicKey readPublicKey(long id) throws IOException, PGPException {
     }
   }
 
+  public String[] extractTextFromCleartextSignature(File inFile) throws FileNotFoundException, IOException {
+    try (ArmoredInputStream in = new ArmoredInputStream(new FileInputStream(inFile))) {
+      return extractTextFromCleartextSignature(in);
+    }
+  }
+
+  public boolean verifyCleartextSignature(File inFile) {
+    try (ArmoredInputStream in = new ArmoredInputStream(new FileInputStream(inFile))) {
+      String[] clearTextLines = extractTextFromCleartextSignature(in);
+      int clearTextSize = clearTextLines.length;
+
+      JcaPGPObjectFactory pgpFact = new JcaPGPObjectFactory(in);
+      PGPSignatureList p3 = (PGPSignatureList) pgpFact.nextObject();
+      PGPSignature sig = p3.get(0);
+      PGPPublicKey publicKey = readPublicKey(sig.getKeyID());
+
+      sig.init(new BcPGPContentVerifierBuilderProvider(), publicKey);
+      for (int i = 0; i < clearTextSize; i++) {
+        sig.update(clearTextLines[i].getBytes());
+        if (i + 1 < clearTextSize) {
+          // https://tools.ietf.org/html/rfc4880#section-7
+          // Convert all line endings to '\r\n'
+          sig.update((byte) '\r');
+          sig.update((byte) '\n');
+        }
+      }
+      return sig.verify();
+    } catch (Exception e) {
+      e.printStackTrace();
+      return false;
+    }
+  }
+
+  private String[] extractTextFromCleartextSignature(ArmoredInputStream in) throws FileNotFoundException, IOException {
+    // https://tools.ietf.org/html/rfc4880#section-7
+    // ArmoredInputStream does unescape dash-escaped string in armored text and skips
+    // all headers. To calculate the signature we still need to:
+    // 1. handle different line endings \n or \n\r or \r\n
+    // 2. remove trailing whitespaces from each line (' ' and '\t')
+    // 3. remove the latest line ending
+
+    String clearText = "";
+    for (;;) {
+      int c = in.read();
+      // in.isClearText() refers to the PREVIOUS byte read
+      if (c == -1 || !in.isClearText()) {
+        break;
+      }
+      // 1. convert all line endings to '\r\n'
+      if (c == '\r') {
+        continue;
+      }
+      clearText += (char) c;
+    }
+
+    // 3. remove the latest line ending
+    if (clearText.endsWith("\n")) {
+      clearText = clearText.substring(0, clearText.length() - 1);
+    }
+    String[] lines = clearText.split("\n", -1);
+    for (int i = 0; i < lines.length; i++) {
+      // 2. remove trailing whitespaces from each line (' ' and '\t')
+      lines[i] = lines[i].replaceAll("[ \\t]+$", "");
+    }
+    return lines;
+  }
 }
