WIP: Explore implementing a concrete HardwareSecurity implementation using Yubikit

2025-12-06 12:21:15 +01:00 · 2025-09-06 19:51:11 +02:00 · 2025-09-06 19:51:11 +02:00 · 65159255f1
commit 65159255f1
parent b10e117795
7 changed files with 112 additions and 8 deletions
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/ConsumerOptions.kt
@ -38,7 +38,7 @@ class ConsumerOptions(private val api: PGPainless) {

    private var sessionKey: SessionKey? = null
    private val customDecryptorFactories =
-        mutableMapOf<SubkeyIdentifier, PublicKeyDataDecryptorFactory>()
+        mutableMapOf<KeyIdentifier, PublicKeyDataDecryptorFactory>()
    private val decryptionKeys = mutableMapOf<OpenPGPKey, SecretKeyRingProtector>()
    private val decryptionPassphrases = mutableSetOf<Passphrase>()
    private var missingKeyPassphraseStrategy = MissingKeyPassphraseStrategy.INTERACTIVE
@ -245,7 +245,7 @@ class ConsumerOptions(private val api: PGPainless) {
     * @return options
     */
    fun addCustomDecryptorFactory(factory: CustomPublicKeyDataDecryptorFactory) = apply {
-        customDecryptorFactories[factory.subkeyIdentifier] = factory
+        customDecryptorFactories[factory.keyIdentifier] = factory
    }

    /**
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactory.kt
@ -4,9 +4,9 @@

 package org.pgpainless.decryption_verification

+import org.bouncycastle.bcpg.KeyIdentifier
 import org.bouncycastle.openpgp.operator.AbstractPublicKeyDataDecryptorFactory
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory
-import org.pgpainless.key.SubkeyIdentifier

 /**
 * Custom [PublicKeyDataDecryptorFactory] which can enable customized implementations of message
@ -23,5 +23,5 @@ abstract class CustomPublicKeyDataDecryptorFactory : AbstractPublicKeyDataDecryp
     *
     * @return subkey identifier
     */
-    abstract val subkeyIdentifier: SubkeyIdentifier
+    abstract val keyIdentifier: KeyIdentifier
 }
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt
@ -72,8 +72,8 @@ class HardwareSecurity {
     * session keys to a [DecryptionCallback]. Users can provide such a callback to delegate
     * decryption of messages to hardware security SDKs.
     */
-    class HardwareDataDecryptorFactory(
-        override val subkeyIdentifier: SubkeyIdentifier,
+    open class HardwareDataDecryptorFactory(
+        override val keyIdentifier: KeyIdentifier,
        private val callback: DecryptionCallback,
    ) : CustomPublicKeyDataDecryptorFactory() {

@ -110,7 +110,7 @@ class HardwareSecurity {
        ): ByteArray {
            return try {
                callback.decryptSessionKey(
-                    subkeyIdentifier.keyIdentifier, keyAlgorithm, secKeyData[0], pkeskVersion)
+                    keyIdentifier, keyAlgorithm, secKeyData[0], pkeskVersion)
            } catch (e: HardwareSecurityException) {
                throw PGPException("Hardware-backed decryption failed.", e)
            }