PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-09-11 19:29:39 +02:00
Code Issues Releases Wiki Activity

WIP: Explore implementing a concrete HardwareSecurity implementation using Yubikit

Browse source
This commit is contained in:
Paul Schaub 2025-09-06 19:51:11 +02:00
parent cccd3287c1
commit 9f0a9ccfa6
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
7 changed files with 112 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

35
pgpainless-yubikey/build.gradle Normal file
View file

@ -0,0 +1,35 @@
// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
//
// SPDX-License-Identifier: Apache-2.0
plugins {
id 'java-library'
}
group 'org.pgpainless'
repositories {
mavenCentral()
mavenLocal()
}
dependencies {
testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
// Logging
testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
implementation(project(":pgpainless-core"))
api "com.yubico.yubikit:openpgp:$yubikitVersion"
implementation "com.google.code.findbugs:jsr305:3.0.2"
}
// https://docs.gradle.org/current/userguide/java_library_plugin.html#sec:java_library_modular_auto
tasks.named('jar') {
manifest {
attributes('Automatic-Module-Name': 'org.pgpainless.yubikey')
}
}

67
pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/YubikeyDataDecryptorFactory.kt Normal file
View file

@ -0,0 +1,67 @@
package org.pgpainless.yubikey
import com.yubico.yubikit.core.smartcard.SmartCardConnection
import com.yubico.yubikit.openpgp.KeyRef
import com.yubico.yubikit.openpgp.OpenPgpSession
import org.bouncycastle.bcpg.KeyIdentifier
import org.pgpainless.decryption_verification.HardwareSecurity
class YubikeyDataDecryptorFactory(
smartCardConnection: SmartCardConnection,
callback: HardwareSecurity.DecryptionCallback,
keyIdentifier: KeyIdentifier,
) : HardwareSecurity.HardwareDataDecryptorFactory(keyIdentifier, callback) {
companion object {
@JvmStatic
fun createDecryptorFromConnection(smartCardConnection: SmartCardConnection): HardwareSecurity.HardwareDataDecryptorFactory {
val openpgpSession = OpenPgpSession(smartCardConnection)
val fingerprintBytes = openpgpSession.getData(KeyRef.DEC.fingerprint)
val decKeyIdentifier = KeyIdentifier(fingerprintBytes)
val rsa = true
val callback = object : HardwareSecurity.DecryptionCallback {
override fun decryptSessionKey(
keyIdentifier: KeyIdentifier,
keyAlgorithm: Int,
sessionKeyData: ByteArray,
pkeskVersion: Int
): ByteArray {
openpgpSession.verifyUserPin("asdasd".toCharArray(), true)
if(rsa) {
val decryptedSessionKey = openpgpSession.decrypt(sessionKeyData)
return decryptedSessionKey
} else {
/*
val secret = openpgpSession.decrypt(sessionKeyData)
val hashAlgorithm: Int = ecPubKey.getHashAlgorithm().toInt()
val symmetricKeyAlgorithm: Int = ecPubKey.getSymmetricKeyAlgorithm().toInt()
val userKeyingMaterial = RFC6637Utils.createUserKeyingMaterial(
this.pgpPrivKey.getPublicKeyPacket(),
BcKeyFingerprintCalculator(),
)
val rfc6637KDFCalculator = RFC6637KDFCalculator(
BcPGPDigestCalculatorProvider()[hashAlgorithm], symmetricKeyAlgorithm,
)
val key =
KeyParameter(rfc6637KDFCalculator.createKey(secret, userKeyingMaterial))
return PGPPad.unpadSessionData(
BcPublicKeyDataDecryptorFactory.unwrapSessionData(
keyEnc,
symmetricKeyAlgorithm,
key,
),
)
*/
throw UnsupportedOperationException("ECDH decryption is not yet implemented.")
}
}
}
return YubikeyDataDecryptorFactory(smartCardConnection, callback, decKeyIdentifier)
}
}
}