Refactor signed push support

Separate out classes for reading public keys from a repository; checking the public keys; and checking push certificates. This minimizes the amount of Gerrit-specific code which needs to go in the actual pre-receive hook, and makes testing much more feasible. Add lots of tests. When verifying a signature, iterate over all possible keys to find one that can verify the signature, and only then check the key. Move these various classes into a "gpg" subpackage. We use gpg rather than pgp (as Bouncy Castle does) for consistency with C git, which refers to its OpenPGP support consistently as "gpg". Written with a minimum of dependencies (e.g. no Guava or AutoValue) for ease of upstreaming into JGit. Change-Id: I88588a2d33a5e9ea3a75900a0db6ab07269826e8
2015-07-07 20:02:08 -07:00
parent 71df11c62f
commit 61003e99ce
16 changed files with 1475 additions and 420 deletions
--- a/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/client/RefNames.java
+++ b/gerrit-reviewdb/src/main/java/com/google/gerrit/reviewdb/client/RefNames.java
@@ -59,7 +59,7 @@ public class RefNames {

  /**
   * Special ref for GPG public keys used by {@link
-   * com.google.gerrit.server.git.SignedPushPreReceiveHook}.
+   * com.google.gerrit.server.git.gpg.SignedPushPreReceiveHook}.
   */
  public static final String REFS_GPG_KEYS = "refs/meta/gpg-keys";