Move most GPG-related code to a gerrit-gpg module
Bouncy Castle is still an optional dependency for Gerrit, so we want to avoid accidentally attempting to load Bouncy Castle classes when they might not be available. Rather than try to guard every org.bouncycastle.* reference with a hasPGP() check, reduce the surface area of calls that actually require Bouncy Castle. Move almost all code that calls Bouncy Castle into a new module, gerrit-gpg. Callers need only interact with this module by installing the GpgModule, which is careful to protect all Bouncy Castle class loading with the appropriate havePGP() check. Moreover, this module doesn't need to be installed in the gerrit-server package at all, so we can break the compile-time dependency between gerrit-server and Bouncy Castle, so accidentally introducing a dependency on Bouncy Castle results in a compile error. The REST API and extension APIs dealing with GPG keys only refer to the GpgKeyInfo POJO, and don't need to actually refer to Bouncy Castle classes. Add a shim interface, GpgApiAdapter, that is used by AccountApiImpl to process GPG keys. GpgModule binds this interface to either the Bouncy Castle enabled implementation, or a not-implemented implementation. Since there are various places in the server code where we want to inspect whether signed push is enabled at the server level, but we don't want to have to call into gerrit-gpg code to do this, bind a boolean with @EnableSignedPush from GpgModule. Change-Id: Idbab00a52d86216cae73d02876d56be54aef6581
This commit is contained in:
Dave Borowitz
@@ -1,56 +0,0 @@
|
||||
// Copyright (C) 2015 The Android Open Source Project
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package com.google.gerrit.server.util;
|
||||
|
||||
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||
|
||||
import java.lang.reflect.Constructor;
|
||||
import java.lang.reflect.InvocationTargetException;
|
||||
import java.security.Security;
|
||||
|
||||
/** Utility methods for Bouncy Castle. */
|
||||
public class BouncyCastleUtil {
|
||||
/**
|
||||
* Check for Bouncy Castle PGP support.
|
||||
* <p>
|
||||
* As a side effect, adds {@link BouncyCastleProvider} as a security provider.
|
||||
*
|
||||
* @return whether Bouncy Castle PGP support is enabled.
|
||||
*/
|
||||
public static boolean havePGP() {
|
||||
try {
|
||||
Class.forName(PGPPublicKey.class.getName());
|
||||
addBouncyCastleProvider();
|
||||
return true;
|
||||
} catch (NoClassDefFoundError | ClassNotFoundException | SecurityException
|
||||
| NoSuchMethodException | InstantiationException
|
||||
| IllegalAccessException | InvocationTargetException
|
||||
| ClassCastException noBouncyCastle) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private static void addBouncyCastleProvider() throws ClassNotFoundException,
|
||||
SecurityException, NoSuchMethodException, InstantiationException,
|
||||
IllegalAccessException, InvocationTargetException {
|
||||
Class<?> clazz = Class.forName(BouncyCastleProvider.class.getName());
|
||||
Constructor<?> constructor = clazz.getConstructor();
|
||||
Security.addProvider((java.security.Provider) constructor.newInstance());
|
||||
}
|
||||
|
||||
private BouncyCastleUtil() {
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user