From 91730fd13fe028eb8582ab9dc8deab9acdddfc60 Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Tue, 3 Jun 2025 11:51:30 +0200
Subject: [PATCH] SOP encrypt --profile=rfc9580: Only override enc mechanism
 with seipd2 if exclusively symmetric encryption is used

---
 .../org/pgpainless/encryption_signing/EncryptionOptions.kt    | 4 ++++
 .../src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt         | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt
index 980a2278..60e98626 100644
--- a/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt
+++ b/pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/EncryptionOptions.kt
@@ -9,6 +9,7 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing
 import org.bouncycastle.openpgp.api.MessageEncryptionMechanism
 import org.bouncycastle.openpgp.api.OpenPGPCertificate
 import org.bouncycastle.openpgp.api.OpenPGPCertificate.OpenPGPComponentKey
+import org.bouncycastle.openpgp.operator.PBEKeyEncryptionMethodGenerator
 import org.bouncycastle.openpgp.operator.PGPKeyEncryptionMethodGenerator
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.EncryptionPurpose
@@ -427,6 +428,9 @@ class EncryptionOptions(private val purpose: EncryptionPurpose, private val api:
 
     fun hasEncryptionMethod() = _encryptionMethods.isNotEmpty()
 
+    fun usesOnlyPasswordBasedEncryption() =
+        _encryptionMethods.all { it is PBEKeyEncryptionMethodGenerator }
+
     internal fun negotiateEncryptionMechanism(): MessageEncryptionMechanism {
         if (encryptionMechanismOverride != null) {
             return encryptionMechanismOverride!!
diff --git a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt
index 87d87b45..6e371ff0 100644
--- a/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt
+++ b/pgpainless-sop/src/main/kotlin/org/pgpainless/sop/EncryptImpl.kt
@@ -63,7 +63,8 @@ class EncryptImpl(private val api: PGPainless) : Encrypt {
             throw SOPGPException.MissingArg("Missing encryption method.")
         }
 
-        if (profile == RFC9580_PROFILE.name) {
+        if (encryptionOptions.usesOnlyPasswordBasedEncryption() &&
+            profile == RFC9580_PROFILE.name) {
             encryptionOptions.overrideEncryptionMechanism(
                 MessageEncryptionMechanism.aead(
                     SymmetricKeyAlgorithm.AES_128.algorithmId, AEADAlgorithm.OCB.algorithmId))