Bug 575706 - Use the BouncyCastle Implementation instead of JCA to
prevent exhaustive
classpath scanning.
Change-Id: I9e79588874addd2092ea784d13a9bce35f1cfb98
Signed-off-by: Christoph Läubrich <laeubi@laeubi-soft.de>
Reviewed-on: https://git.eclipse.org/r/c/equinox/rt.equinox.p2/+/184567
Reviewed-by: Mickael Istria <mistria@redhat.com>
Reviewed-by: Alexander Kurtakov <akurtako@redhat.com>
Tested-by: Alexander Kurtakov <akurtako@redhat.com>
diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/pgp/PGPSignatureVerifier.java b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/pgp/PGPSignatureVerifier.java
index cc5304b..7234008 100644
--- a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/pgp/PGPSignatureVerifier.java
+++ b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/processors/pgp/PGPSignatureVerifier.java
@@ -14,11 +14,10 @@
import java.util.*;
import java.util.stream.Collectors;
import org.bouncycastle.bcpg.ArmoredInputStream;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.*;
-import org.bouncycastle.openpgp.jcajce.JcaPGPObjectFactory;
-import org.bouncycastle.openpgp.jcajce.JcaPGPPublicKeyRingCollection;
-import org.bouncycastle.openpgp.operator.jcajce.JcaPGPContentVerifierBuilderProvider;
+import org.bouncycastle.openpgp.bc.BcPGPObjectFactory;
+import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
import org.eclipse.core.runtime.*;
import org.eclipse.equinox.internal.p2.artifact.repository.Activator;
import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
@@ -60,12 +59,12 @@
}
List<PGPSignature> res = new ArrayList<>();
try (InputStream in = new ArmoredInputStream(new ByteArrayInputStream(signatureText.getBytes()))) {
- JcaPGPObjectFactory pgpFactory = new JcaPGPObjectFactory(in);
+ PGPObjectFactory pgpFactory = new BcPGPObjectFactory(in);
Object o = pgpFactory.nextObject();
PGPSignatureList signatureList = new PGPSignatureList(new PGPSignature[0]);
if (o instanceof PGPCompressedData) {
PGPCompressedData pgpCompressData = (PGPCompressedData) o;
- pgpFactory = new JcaPGPObjectFactory(pgpCompressData.getDataStream());
+ pgpFactory = new BcPGPObjectFactory(pgpCompressData.getDataStream());
signatureList = (PGPSignatureList) pgpFactory.nextObject();
} else if (o instanceof PGPSignatureList) {
signatureList = (PGPSignatureList) o;
@@ -108,8 +107,7 @@
return;
}
try {
- signature.init(new JcaPGPContentVerifierBuilderProvider().setProvider(new BouncyCastleProvider()),
- publicKey);
+ signature.init(new BcPGPContentVerifierBuilderProvider(), publicKey);
} catch (PGPException ex) {
setStatus(new Status(IStatus.ERROR, Activator.ID, ex.getMessage(), ex));
return;
@@ -145,7 +143,7 @@
Map<Long, PGPPublicKey> res = new HashMap<>();
try (InputStream stream = PGPUtil
.getDecoderStream(new ByteArrayInputStream(unnormalizedPGPProperty(armoredPublicKeyring).getBytes()))) {
- PGPPublicKeyRingCollection pgpPub = new JcaPGPPublicKeyRingCollection(stream);
+ PGPPublicKeyRingCollection pgpPub = new BcPGPPublicKeyRingCollection(stream);
pgpPub.getKeyRings().forEachRemaining(kRing ->
kRing.getPublicKeys().forEachRemaining(key -> res.put(key.getKeyID(), key))
