WIP: Explore implementing a concrete HardwareSecurity implementation using Yubikit

2025-12-11 23:01:08 +01:00 · 2025-09-06 19:51:11 +02:00 · 2025-09-06 19:51:11 +02:00 · 65159255f1
commit 65159255f1
parent b10e117795
7 changed files with 112 additions and 8 deletions
--- a/pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/YubikeyDataDecryptorFactory.kt
+++ b/pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/YubikeyDataDecryptorFactory.kt
@ -0,0 +1,67 @@
+package org.pgpainless.yubikey
+
+import com.yubico.yubikit.core.smartcard.SmartCardConnection
+import com.yubico.yubikit.openpgp.KeyRef
+import com.yubico.yubikit.openpgp.OpenPgpSession
+import org.bouncycastle.bcpg.KeyIdentifier
+import org.pgpainless.decryption_verification.HardwareSecurity
+
+class YubikeyDataDecryptorFactory(
+    smartCardConnection: SmartCardConnection,
+    callback: HardwareSecurity.DecryptionCallback,
+    keyIdentifier: KeyIdentifier,
+) : HardwareSecurity.HardwareDataDecryptorFactory(keyIdentifier, callback) {
+
+    companion object {
+        @JvmStatic
+        fun createDecryptorFromConnection(smartCardConnection: SmartCardConnection): HardwareSecurity.HardwareDataDecryptorFactory {
+            val openpgpSession = OpenPgpSession(smartCardConnection)
+            val fingerprintBytes = openpgpSession.getData(KeyRef.DEC.fingerprint)
+            val decKeyIdentifier = KeyIdentifier(fingerprintBytes)
+            val rsa = true
+
+            val callback = object : HardwareSecurity.DecryptionCallback {
+                override fun decryptSessionKey(
+                    keyIdentifier: KeyIdentifier,
+                    keyAlgorithm: Int,
+                    sessionKeyData: ByteArray,
+                    pkeskVersion: Int
+                ): ByteArray {
+                    openpgpSession.verifyUserPin("asdasd".toCharArray(), true)
+                    if(rsa) {
+                        val decryptedSessionKey = openpgpSession.decrypt(sessionKeyData)
+
+                        return decryptedSessionKey
+                    } else {
+                        /*
+                        val secret = openpgpSession.decrypt(sessionKeyData)
+                        val hashAlgorithm: Int = ecPubKey.getHashAlgorithm().toInt()
+                        val symmetricKeyAlgorithm: Int = ecPubKey.getSymmetricKeyAlgorithm().toInt()
+                        val userKeyingMaterial = RFC6637Utils.createUserKeyingMaterial(
+                            this.pgpPrivKey.getPublicKeyPacket(),
+                            BcKeyFingerprintCalculator(),
+                        )
+                        val rfc6637KDFCalculator = RFC6637KDFCalculator(
+                            BcPGPDigestCalculatorProvider()[hashAlgorithm], symmetricKeyAlgorithm,
+                        )
+                        val key =
+                            KeyParameter(rfc6637KDFCalculator.createKey(secret, userKeyingMaterial))
+                        return PGPPad.unpadSessionData(
+                            BcPublicKeyDataDecryptorFactory.unwrapSessionData(
+                                keyEnc,
+                                symmetricKeyAlgorithm,
+                                key,
+                            ),
+                        )
+                         */
+                        throw UnsupportedOperationException("ECDH decryption is not yet implemented.")
+                    }
+                }
+
+            }
+
+            return YubikeyDataDecryptorFactory(smartCardConnection, callback, decKeyIdentifier)
+        }
+    }
+
+}