Wip

pgpainless-core/src/main/java/org/pgpainless/key/protection/SecretKeyRingProtector.java

@@ -29,7 +29,12 @@ import org.pgpainless.key.protection.passphrase_provider.SecretKeyPassphraseProv
 import org.pgpainless.util.Passphrase;
 
 /**
- * Interface that is used to provide secret key ring encryptors and decryptors.
+ * Task of the {@link SecretKeyRingProtector} is to map encryptor/decryptor objects to key-ids.
+ * {@link PBESecretKeyEncryptor PBESecretKeyEncryptors}/{@link PBESecretKeyDecryptor PBESecretKeyDecryptors} are used
+ * to encrypt/decrypt secret keys using a passphrase.
+ *
+ * While it is easy to create an implementation of this interface that fits your needs, there are a bunch of
+ * implementations ready for use.
  */
 public interface SecretKeyRingProtector {
 
@@ -57,6 +62,8 @@ public interface SecretKeyRingProtector {
      * The protector maintains an in-memory cache of passphrases and can be extended with new passphrases
      * at runtime.
      *
+     * See {@link CachingSecretKeyRingProtector} for how to memorize/forget additional passphrases during runtime.
+     *
      * @param missingPassphraseCallback callback that is used to provide missing passphrases.
      * @return caching secret key protector
      */
@@ -70,6 +77,9 @@ public interface SecretKeyRingProtector {
     /**
      * Use the provided passphrase to lock/unlock all subkeys in the provided key ring.
      *
+     * This protector will use the provided passphrase to lock/unlock all subkeys present in the provided keys object.
+     * For other keys that are not present in the ring, it will return null.
+     *
      * @param passphrase passphrase
      * @param keys key ring
      * @return protector
@@ -84,6 +94,10 @@ public interface SecretKeyRingProtector {
 
     /**
      * Use the provided passphrase to lock/unlock only the provided (sub-)key.
+     * This protector will only return a non-null encryptor/decryptor based on the provided passphrase if
+     * {@link #getEncryptor(Long)}/{@link #getDecryptor(Long)} is getting called with the key-id of the provided key.
+     *
+     * Otherwise this protector will always return null.
      *
      * @param passphrase passphrase
      * @param key key to lock/unlock
@@ -95,6 +109,12 @@ public interface SecretKeyRingProtector {
 
     /**
      * Protector for unprotected keys.
+     * This protector returns null for all {@link #getEncryptor(Long)}/{@link #getDecryptor(Long)} calls,
+     * no matter what the key-id is.
+     *
+     * As a consequence, this protector can only "unlock" keys which are not protected using a passphrase, and it will
+     * leave keys unprotected, should it be used to "protect" a key
+     * (eg. in {@link org.pgpainless.key.modification.secretkeyring.SecretKeyRingEditor#changePassphraseFromOldPassphrase(Passphrase)}).
      *
      * @return protector
      */