Skip to content

Commit

Permalink
Add missing key to the exception information
Browse files Browse the repository at this point in the history
  • Loading branch information
spyrkob committed Nov 1, 2024
1 parent 95d5252 commit 651435e
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 15 deletions.
4 changes: 2 additions & 2 deletions core/src/main/java/org/wildfly/channel/Channel.java
Original file line number Diff line number Diff line change
Expand Up @@ -231,14 +231,14 @@ public Builder() {

public Builder(Channel from) {
this.name = from.getName();
this.repositories = new ArrayList<>(from.getRepositories());
this.repositories = from.getRepositories() == null ? null : new ArrayList<>(from.getRepositories());
this.manifestCoordinate = from.getManifestCoordinate();
this.blocklistCoordinate = from.getBlocklistCoordinate();
this.strategy = from.getNoStreamStrategy();
this.description = from.getDescription();
this.vendor = from.getVendor();
this.gpgCheck = from._isGpgCheck();
this.gpgUrls = new ArrayList<>(from.getGpgUrls());
this.gpgUrls = from.getGpgUrls() == null ? null : new ArrayList<>(from.getGpgUrls());
}

public Channel build() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ public static SignatureResult noSignature(ArtifactIdentifier resource) {
return new SignatureResult(Result.NO_SIGNATURE, resource, null, null);
}

public static SignatureResult invalid(ArtifactIdentifier resource) {
return new SignatureResult(Result.INVALID, resource, null, null);
public static SignatureResult invalid(ArtifactIdentifier resource, String keyID) {
return new SignatureResult(Result.INVALID, resource, keyID, null);
}

public enum Result {OK, NO_MATCHING_CERT, REVOKED, EXPIRED, NO_SIGNATURE, INVALID;}
Expand Down
15 changes: 13 additions & 2 deletions core/src/main/java/org/wildfly/channel/spi/SignatureValidator.java
Original file line number Diff line number Diff line change
Expand Up @@ -48,19 +48,30 @@ SignatureResult validateSignature(ArtifactIdentifier artifactId, InputStream art
*/
class SignatureException extends RuntimeException {
private final SignatureResult signatureResult;
private String missingSignature;

public SignatureException(String message, Throwable cause, SignatureResult signatureResult) {
super(message, cause);
super(buildErrorMessage(message, signatureResult), cause);
this.signatureResult = signatureResult;
this.missingSignature = signatureResult.getKeyId();
}

public SignatureException(String message, SignatureResult signatureResult) {
super(message);
super(buildErrorMessage(message, signatureResult));
this.signatureResult = signatureResult;
this.missingSignature = signatureResult.getKeyId();
}

private static String buildErrorMessage(String message, SignatureResult signatureResult) {
return String.format("%s: %s%s", message, signatureResult.getResult(), signatureResult.getMessage() == null ? "" : signatureResult.getResult());
}

public SignatureResult getSignatureResult() {
return signatureResult;
}

public String getMissingSignature() {
return missingSignature;
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ public void invalidSignatureCausesError() throws Exception {
when(resolver.resolveArtifact("test.channels", "base-manifest",
ChannelManifest.EXTENSION + SIGNATURE_FILE_SUFFIX, ChannelManifest.CLASSIFIER, "1.0.0"))
.thenReturn(tempDir.resolve("test-manifest.yaml.asc").toFile());
when(signatureValidator.validateSignature(any(), any(), any(), any())).thenReturn(SignatureResult.invalid(mock(ArtifactIdentifier.class)));
when(signatureValidator.validateSignature(any(), any(), any(), any())).thenReturn(SignatureResult.invalid(mock(ArtifactIdentifier.class), "abcd"));
assertThrows(SignatureValidator.SignatureException.class,
() -> signedResolver.resolveChannelMetadata(List.of(new ChannelManifestCoordinate("test.channels", "base-manifest", "1.0.0"))));
}
Expand Down Expand Up @@ -154,7 +154,7 @@ public void failedSignatureValidationThrowsException() throws Exception {
ARTIFACT.classifier, ARTIFACT.version))
.thenReturn(signatureFile);
when(signatureValidator.validateSignature(eq(ARTIFACT),
any(), any(), any())).thenReturn(SignatureResult.invalid(ARTIFACT));
any(), any(), any())).thenReturn(SignatureResult.invalid(ARTIFACT, "abcd"));

assertThrows(SignatureValidator.SignatureException.class, () -> signedResolver.resolveArtifact(ARTIFACT.groupId,
ARTIFACT.artifactId, ARTIFACT.extension, ARTIFACT.classifier, ARTIFACT.version));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ public SignatureResult validateSignature(ArtifactIdentifier artifactId, InputStr
return SignatureResult.noSignature(artifactId);
}

final String keyID = Long.toHexString(pgpSignature.getKeyID()).toUpperCase(Locale.ROOT);
final String keyID = getKeyID(pgpSignature);
if (LOG.isTraceEnabled()) {
LOG.tracef("The signature was created using public key %s.", keyID);
}
Expand Down Expand Up @@ -134,7 +134,7 @@ public SignatureResult validateSignature(ArtifactIdentifier artifactId, InputStr
}
} catch (PGPException | IOException e) {
throw new SignatureException("Unable to parse the certificate downloaded from keyserver", e,
SignatureResult.noSignature(artifactId));
SignatureResult.noMatchingCertificate(artifactId, keyID));
}

if (key == null) {
Expand All @@ -146,7 +146,7 @@ public SignatureResult validateSignature(ArtifactIdentifier artifactId, InputStr
pgpPublicKeys = downloadPublicKey(gpgUrl);
} catch (IOException e) {
throw new SignatureException("Unable to parse the certificate downloaded from " + gpgUrl, e,
SignatureResult.noSignature(artifactId));
SignatureResult.noMatchingCertificate(artifactId, keyID));
}
if (pgpPublicKeys.stream().anyMatch(k -> k.getKeyID() == pgpSignature.getKeyID())) {
key = pgpPublicKeys.stream().filter(k -> k.getKeyID() == pgpSignature.getKeyID()).findFirst().get();
Expand Down Expand Up @@ -193,7 +193,7 @@ public SignatureResult validateSignature(ArtifactIdentifier artifactId, InputStr
pgpSignature.init(new BcPGPContentVerifierBuilderProvider(), publicKey);
} catch (PGPException e) {
throw new SignatureException("Unable to verify the signature using key " + keyID, e,
SignatureResult.invalid(artifactId));
SignatureResult.invalid(artifactId, keyID));
}
final SignatureResult result = verifyFile(artifactId, artifactStream, pgpSignature);

Expand Down Expand Up @@ -241,7 +241,7 @@ private SignatureResult checkRevoked(ArtifactIdentifier artifactId, String keyID
final Iterator<PGPSignature> subKeys = publicKey.getSignaturesOfType(PGPSignature.SUBKEY_BINDING);
while (subKeys.hasNext()) {
final PGPSignature subKeySignature = subKeys.next();
final PGPPublicKey subKey = keystore.get(Long.toHexString(subKeySignature.getKeyID()).toUpperCase(Locale.ROOT));
final PGPPublicKey subKey = keystore.get(getKeyID(subKeySignature));
if (subKey.hasRevocation()) {
if (LOG.isTraceEnabled()) {
LOG.tracef("Sub-key %s has been revoked.", Long.toHexString(subKey.getKeyID()).toUpperCase(Locale.ROOT));
Expand Down Expand Up @@ -285,16 +285,20 @@ private static SignatureResult verifyFile(ArtifactIdentifier artifactSource, Inp
// Verify the signature
try {
if (!pgpSignature.verify()) {
return SignatureResult.invalid(artifactSource);
return SignatureResult.invalid(artifactSource, getKeyID(pgpSignature));
} else {
return SignatureResult.ok();
}
} catch (PGPException e) {
throw new SignatureException("Unable to verify the file signature", e,
SignatureResult.invalid(artifactSource));
SignatureResult.invalid(artifactSource, getKeyID(pgpSignature)));
}
}

private static String getKeyID(PGPSignature pgpSignature) {
return Long.toHexString(pgpSignature.getKeyID()).toUpperCase(Locale.ROOT);
}

private static PGPSignature readSignatureFile(InputStream signatureStream) throws IOException {
PGPSignature pgpSignature = null;
try (InputStream decoderStream = PGPUtil.getDecoderStream(signatureStream)) {
Expand Down

0 comments on commit 651435e

Please sign in to comment.