Transparent decryption

REUSE.toml

@@ -111,6 +111,13 @@ precedence = "aggregate"
 SPDX-FileCopyrightText = "2022 Paul Schaub <info@pgpainless.org>"
 SPDX-License-Identifier = "Apache-2.0"
 
+[[annotations]]
+path = "pgpainless-yubikey/src/test/resources/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2025 Paul Schaub <info@pgpainless.org>"
+SPDX-License-Identifier = "Apache-2.0"
+
+
 [[annotations]]
 path = ".github/ISSUE_TEMPLATE/**"
 precedence = "aggregate"

pgpainless-core/src/main/kotlin/org/gnupg/GnuPGDummyKeyUtil.kt

@@ -57,11 +57,10 @@ class GnuPGDummyKeyUtil private constructor() {
          */
         @JvmStatic fun modify(secretKeys: PGPSecretKeyRing) = Builder(secretKeys)
 
-        @JvmStatic fun serialToBytes(sn: Int) = byteArrayOf(
+        @JvmStatic
-            (sn shr 24).toByte(),
+        fun serialToBytes(sn: Int) =
-            (sn shr(16)).toByte(),
+            byteArrayOf(
-            (sn shr(8)).toByte(),
+                (sn shr 24).toByte(), (sn shr (16)).toByte(), (sn shr (8)).toByte(), sn.toByte())
-            sn.toByte())
     }
 
     class Builder(private val keys: PGPSecretKeyRing) {

pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/OpenPgpMessageInputStream.kt

@@ -38,7 +38,6 @@ import org.bouncycastle.openpgp.api.OpenPGPKey.OpenPGPSecretKey
 import org.bouncycastle.openpgp.api.OpenPGPSignature.OpenPGPDocumentSignature
 import org.bouncycastle.openpgp.api.exception.MalformedOpenPGPSignatureException
 import org.bouncycastle.openpgp.operator.PBEDataDecryptorFactory
-import org.bouncycastle.openpgp.operator.PGPDataDecryptorFactory
 import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory
 import org.bouncycastle.util.io.TeeInputStream
 import org.pgpainless.PGPainless
@@ -448,15 +447,18 @@ class OpenPgpMessageInputStream(
                 }
 
                 if (secretKey.hasExternalSecretKey()) {
-                    LOGGER.debug("Decryption key ${secretKey.keyIdentifier} is located on an external device, e.g. a smartcard.")
+                    LOGGER.debug(
+                        "Decryption key ${secretKey.keyIdentifier} is located on an external device, e.g. a smartcard.")
                     for (hardwareTokenBackend in options.hardwareTokenBackends) {
-                        LOGGER.debug("Attempt decryption with ${hardwareTokenBackend.getBackendName()} backend.")
+                        LOGGER.debug(
+                            "Attempt decryption with ${hardwareTokenBackend.getBackendName()} backend.")
                         if (decryptWithHardwareKey(
                             hardwareTokenBackend,
                             esks,
                             secretKey,
                             protector,
-                                SubkeyIdentifier(secretKey.openPGPKey.pgpSecretKeyRing, secretKey.keyIdentifier),
+                            SubkeyIdentifier(
+                                secretKey.openPGPKey.pgpSecretKeyRing, secretKey.keyIdentifier),
                             pkesk)) {
                             return true
                         }
@@ -624,16 +626,22 @@ class OpenPgpMessageInputStream(
         pkesk: PGPPublicKeyEncryptedData
     ): Boolean {
         try {
-            val decrypted = pkesk.getDataStream(decryptorFactory)
             val sessionKey = SessionKey(pkesk.getSessionKey(decryptorFactory))
             throwIfUnacceptable(sessionKey.algorithm)
 
+            val pgpSessionKey = PGPSessionKey(sessionKey.algorithm.algorithmId, sessionKey.key)
+            val sessionKeyEncData = esks.esks.extractSessionKeyEncryptedData()
+            val decrypted =
+                sessionKeyEncData.getDataStream(
+                    api.implementation.sessionKeyDataDecryptorFactory(pgpSessionKey))
+
             val encryptedData = esks.toEncryptedData(sessionKey, layerMetadata.depth)
             encryptedData.decryptionKey = decryptionKeyId
             encryptedData.sessionKey = sessionKey
             encryptedData.addRecipients(esks.pkesks.plus(esks.anonPkesks).map { it.keyIdentifier })
             LOGGER.debug("Successfully decrypted data with key $decryptionKeyId")
-            val integrityProtected = IntegrityProtectedInputStream(decrypted, pkesk, options)
+            val integrityProtected =
+                IntegrityProtectedInputStream(decrypted, sessionKeyEncData, options)
             nestedInputStream =
                 OpenPgpMessageInputStream(integrityProtected, options, encryptedData, api)
             return true
@@ -790,7 +798,7 @@ class OpenPgpMessageInputStream(
         }
     }
 
-    private class ESKsAndData(private val esks: PGPEncryptedDataList) {
+    private class ESKsAndData(val esks: PGPEncryptedDataList) {
         fun toEncryptedData(sk: SessionKey, depth: Int): EncryptedData {
             return when (EncryptedDataPacketType.of(esks)!!) {
                 EncryptedDataPacketType.SED ->

pgpainless-core/src/main/kotlin/org/pgpainless/encryption_signing/SigningOptions.kt

@@ -313,12 +313,14 @@ class SigningOptions(private val api: PGPainless) {
             subpacketsCallback)
     }
 
-    fun addInlineSignature(hardwareBackedKey: OpenPGPComponentKey,
+    fun addInlineSignature(
+        hardwareBackedKey: OpenPGPComponentKey,
         hardwareContentSignerBuilderProviderFactory: PGPContentSignerBuilderProviderFactory,
         hashAlgorithm: HashAlgorithm,
         signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT,
         subpacketsCallback: Callback? = null
-    ) = addHardwareSigningMethod(
+    ) =
+        addHardwareSigningMethod(
             hardwareBackedKey,
             hardwareContentSignerBuilderProviderFactory,
             hashAlgorithm,
@@ -532,7 +534,14 @@ class SigningOptions(private val api: PGPainless) {
         hashAlgorithm: HashAlgorithm,
         signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT,
         subpacketsCallback: Callback? = null
-    ) = addHardwareSigningMethod(hardwareBackedKey, hardwareContentSignerBuilderProviderFactory, hashAlgorithm, signatureType, true, subpacketsCallback)
+    ) =
+        addHardwareSigningMethod(
+            hardwareBackedKey,
+            hardwareContentSignerBuilderProviderFactory,
+            hashAlgorithm,
+            signatureType,
+            true,
+            subpacketsCallback)
 
     private fun addHardwareSigningMethod(
         hardwareBackedKey: OpenPGPComponentKey,
@@ -540,15 +549,15 @@ class SigningOptions(private val api: PGPainless) {
         hashAlgorithm: HashAlgorithm,
         signatureType: DocumentSignatureType = DocumentSignatureType.BINARY_DOCUMENT,
         detached: Boolean,
-        subpacketsCallback: Callback? = null) = apply {
+        subpacketsCallback: Callback? = null
+    ) = apply {
         rejectWeakKeys(hardwareBackedKey)
         val pubkey = hardwareBackedKey.pgpPublicKey
-        val pgpContentSignerBuilder = hardwareContentSignerBuilderProviderFactory.create(hashAlgorithm)
+        val pgpContentSignerBuilder =
-            .get(pubkey)
+            hardwareContentSignerBuilderProviderFactory.create(hashAlgorithm).get(pubkey)
 
-        val generator = PGPSignatureGenerator(
+        val generator =
-            pgpContentSignerBuilder, pubkey)
+            PGPSignatureGenerator(pgpContentSignerBuilder, pubkey).apply {
-            .apply {
                 init(signatureType.signatureType.code, pubkey)
             }
 
@@ -584,15 +593,17 @@ class SigningOptions(private val api: PGPainless) {
         if (!api.algorithmPolicy.publicKeyAlgorithmPolicy.isAcceptable(
             publicKeyAlgorithm, bitStrength)) {
             throw UnacceptableSigningKeyException(
-                PublicKeyAlgorithmPolicyException(
+                PublicKeyAlgorithmPolicyException(signingKey, publicKeyAlgorithm, bitStrength))
-                    signingKey, publicKeyAlgorithm, bitStrength))
         }
     }
 
-    private fun prepareSignatureGenerator(generator: PGPSignatureGenerator, signingKey: PGPPublicKey, subpacketCallback: Callback?) {
+    private fun prepareSignatureGenerator(
+        generator: PGPSignatureGenerator,
+        signingKey: PGPPublicKey,
+        subpacketCallback: Callback?
+    ) {
         // Subpackets
-        val hashedSubpackets =
+        val hashedSubpackets = SignatureSubpackets.createHashedSubpackets(signingKey)
-            SignatureSubpackets.createHashedSubpackets(signingKey)
         val unhashedSubpackets = SignatureSubpackets.createEmptySubpackets()
         if (subpacketCallback != null) {
             subpacketCallback.modifyHashedSubpackets(hashedSubpackets)

pgpainless-core/src/main/kotlin/org/pgpainless/exception/KeyException.kt

@@ -210,7 +210,6 @@ $algorithm of size $bitSize is not acceptable.""",
         }
     }
 
-    class GeneralKeyException(message: String,
+    class GeneralKeyException(message: String, fingerprint: OpenPgpFingerprint) :
-                              fingerprint: OpenPgpFingerprint
+        KeyException(message, fingerprint)
-    ) : KeyException(message, fingerprint)
 }

pgpainless-core/src/main/kotlin/org/pgpainless/hardware/HardwareTokenBackend.kt

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.hardware
 
 import org.bouncycastle.openpgp.PGPPublicKeyEncryptedData

pgpainless-core/src/main/kotlin/org/pgpainless/signature/PGPContentSignerBuilderProviderFactory.kt

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.signature
 
 import org.bouncycastle.openpgp.operator.PGPContentSignerBuilderProvider

pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/Yubikey.kt

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
 import com.yubico.yubikit.core.YubiKeyDevice
@@ -16,7 +20,9 @@ data class Yubikey(val info: DeviceInfo, val device: YubiKeyDevice) {
     fun storeKeyInSlot(key: OpenPGPPrivateKey, keyRef: KeyRef, adminPin: CharArray) {
         device.openConnection(SmartCardConnection::class.java).use {
             // Extract private key
-            val privateKey = JcaPGPKeyConverter().setProvider(BouncyCastleProvider())
+            val privateKey =
+                JcaPGPKeyConverter()
+                    .setProvider(BouncyCastleProvider())
                     .getPrivateKey(key.keyPair.privateKey)
 
             val session = OpenPgpSession(it as SmartCardConnection)

pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/YubikeyDataDecryptorFactory.kt

@@ -7,6 +7,7 @@ package org.pgpainless.yubikey
 import com.yubico.yubikit.core.keys.PublicKeyValues
 import com.yubico.yubikit.core.smartcard.SmartCardConnection
 import com.yubico.yubikit.openpgp.OpenPgpSession
+import java.util.*
 import org.bouncycastle.bcpg.ECDHPublicBCPGKey
 import org.bouncycastle.bcpg.KeyIdentifier
 import org.bouncycastle.bcpg.PublicKeyAlgorithmTags
@@ -27,7 +28,6 @@ import org.pgpainless.decryption_verification.HardwareSecurity
 import org.pgpainless.key.OpenPgpV4Fingerprint
 import org.pgpainless.key.SubkeyIdentifier
 import org.slf4j.LoggerFactory
-import java.util.*
 
 class YubikeyDataDecryptorFactory(
     callback: HardwareSecurity.DecryptionCallback,
@@ -36,13 +36,11 @@ class YubikeyDataDecryptorFactory(
 
     companion object {
 
-        @JvmStatic
+        @JvmStatic val LOGGER = LoggerFactory.getLogger(YubikeyDataDecryptorFactory::class.java)
-        val LOGGER = LoggerFactory.getLogger(YubikeyDataDecryptorFactory::class.java)
 
         val ADMIN_PIN: CharArray = "12345678".toCharArray()
         val USER_PIN: CharArray = "123456".toCharArray()
 
-
         @JvmStatic
         fun createDecryptorFromConnection(
             smartCardConnection: SmartCardConnection,
@@ -51,11 +49,13 @@ class YubikeyDataDecryptorFactory(
             val openpgpSession = OpenPgpSession(smartCardConnection)
             val decKeyIdentifier = SubkeyIdentifier(OpenPgpV4Fingerprint(pubkey))
 
-            val isRSAKey = pubkey.algorithm == PublicKeyAlgorithmTags.RSA_GENERAL
+            val isRSAKey =
-                || pubkey.algorithm == PublicKeyAlgorithmTags.RSA_SIGN
+                pubkey.algorithm == PublicKeyAlgorithmTags.RSA_GENERAL ||
-                || pubkey.algorithm == PublicKeyAlgorithmTags.RSA_ENCRYPT
+                    pubkey.algorithm == PublicKeyAlgorithmTags.RSA_SIGN ||
+                    pubkey.algorithm == PublicKeyAlgorithmTags.RSA_ENCRYPT
 
-            val callback = object : HardwareSecurity.DecryptionCallback {
+            val callback =
+                object : HardwareSecurity.DecryptionCallback {
                     override fun decryptSessionKey(
                         keyIdentifier: KeyIdentifier,
                         keyAlgorithm: Int,
@@ -63,26 +63,28 @@ class YubikeyDataDecryptorFactory(
                         pkeskVersion: Int
                     ): ByteArray {
                         // TODO: Move user pin verification somewhere else
-                    openpgpSession.verifyAdminPin(ADMIN_PIN)
                         openpgpSession.verifyUserPin(USER_PIN, true)
 
                         LOGGER.debug("Attempt decryption with key {}", keyIdentifier)
 
-                    if(isRSAKey) {
+                        if (isRSAKey) {
                             // easy
                             LOGGER.debug("Key is RSA key of length {}", pubkey.bitStrength)
                             val decryptedSessionKey = openpgpSession.decrypt(sessionKeyData)
+                            smartCardConnection.close()
                             return decryptedSessionKey
                         } else {
                             // meh...
                             val curveName = pubkey.getCurveName()
-                        val ecPubKey: ECDHPublicBCPGKey = pubkey.publicKeyPacket.key as ECDHPublicBCPGKey
+                            val ecPubKey: ECDHPublicBCPGKey =
+                                pubkey.publicKeyPacket.key as ECDHPublicBCPGKey
                             LOGGER.debug("Key is ECDH key over curve $curveName")
                             // split session data into peer key and encrypted session key
 
                             // peer key
                             val pLen =
-                            ((((sessionKeyData[0].toInt() and 0xff) shl 8) + (sessionKeyData[1].toInt() and 0xff)) + 7) / 8
+                                ((((sessionKeyData[0].toInt() and 0xff) shl 8) +
+                                    (sessionKeyData[1].toInt() and 0xff)) + 7) / 8
                             checkRange(2 + pLen + 1, sessionKeyData)
                             val pEnc = ByteArray(pLen)
                             System.arraycopy(sessionKeyData, 2, pEnc, 0, pLen)
@@ -96,11 +98,15 @@ class YubikeyDataDecryptorFactory(
                             // perform ECDH key agreement via the Yubikey
                             val params = ECNamedCurveTable.getParameterSpec(curveName)
                             val publicPoint = params.curve.decodePoint(pEnc)
-                        val peerKey = JcaPGPKeyConverter().setProvider(BouncyCastleProvider())
+                            val peerKey =
+                                JcaPGPKeyConverter()
+                                    .setProvider(BouncyCastleProvider())
                                     .getPublicKey(
                                         PGPPublicKey(
                                             PublicKeyPacket(
-                                        pubkey.version, PublicKeyAlgorithmTags.ECDH, Date(),
+                                                pubkey.version,
+                                                PublicKeyAlgorithmTags.ECDH,
+                                                Date(),
                                                 ECDHPublicBCPGKey(
                                                     ecPubKey.curveOID,
                                                     publicPoint,
@@ -112,12 +118,15 @@ class YubikeyDataDecryptorFactory(
                                         ),
                                     )
 
-                        val secret = openpgpSession.decrypt(PublicKeyValues.fromPublicKey(peerKey))
+                            val secret =
+                                openpgpSession.decrypt(PublicKeyValues.fromPublicKey(peerKey))
+                            smartCardConnection.close()
 
                             // Use the shared key to decrypt the session key
                             val hashAlgorithm: Int = ecPubKey.hashAlgorithm.toInt()
                             val symmetricKeyAlgorithm: Int = ecPubKey.symmetricKeyAlgorithm.toInt()
-                        val userKeyingMaterial = RFC6637Utils.createUserKeyingMaterial(
+                            val userKeyingMaterial =
+                                RFC6637Utils.createUserKeyingMaterial(
                                     pubkey.publicKeyPacket,
                                     BcKeyFingerprintCalculator(),
                                 )
@@ -127,7 +136,8 @@ class YubikeyDataDecryptorFactory(
                                     symmetricKeyAlgorithm,
                                 )
                             val key =
-                            KeyParameter(rfc6637KDFCalculator.createKey(secret, userKeyingMaterial))
+                                KeyParameter(
+                                    rfc6637KDFCalculator.createKey(secret, userKeyingMaterial))
 
                             return PGPPad.unpadSessionData(
                                 BcPublicKeyDataDecryptorFactory.unwrapSessionData(

pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/YubikeyHardwareTokenBackend.kt

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
 import com.yubico.yubikit.core.smartcard.SmartCardConnection
@@ -21,38 +25,43 @@ class YubikeyHardwareTokenBackend : HardwareTokenBackend {
         protector: SecretKeyRingProtector,
         pkesk: PGPPublicKeyEncryptedData
     ): Iterator<PublicKeyDataDecryptorFactory> {
-        val devices = YubikeyHelper().listDevices()
+        return object : Iterator<PublicKeyDataDecryptorFactory> {
-        return devices.map { yubikey ->
+            val devices = YubikeyHelper().listDevices().iterator()
-            yubikey.device.openConnection(SmartCardConnection::class.java).use {
+
-                val decFac = YubikeyDataDecryptorFactory.createDecryptorFromConnection(
+            override fun hasNext(): Boolean {
-                    it,
+                return devices.hasNext()
-                    secKey.pgpPublicKey
+            }
-                )
+
+            override fun next(): PublicKeyDataDecryptorFactory {
+                return devices.next().device.openConnection(SmartCardConnection::class.java).let {
+                    val decFac =
+                        YubikeyDataDecryptorFactory.createDecryptorFromConnection(
+                            it, secKey.pgpPublicKey)
                     decFac as PublicKeyDataDecryptorFactory
                 }
-        }.iterator()
+            }
+        }
     }
 
     override fun listDeviceSerials(): List<ByteArray> {
-        return YubikeyHelper().listDevices()
+        return YubikeyHelper().listDevices().mapNotNull { yk ->
-            .mapNotNull { yk -> yk.info.serialNumber?.let { GnuPGDummyKeyUtil.serialToBytes(it) } }
+            yk.info.serialNumber?.let { GnuPGDummyKeyUtil.serialToBytes(it) }
+        }
     }
 
     override fun listKeyFingerprints(): Map<ByteArray, List<ByteArray>> {
-        return YubikeyHelper().listDevices()
+        return YubikeyHelper().listDevices().associate { yk ->
-            .associate { yk ->
+            yk.encodedSerialNumber to
-                yk.encodedSerialNumber to yk.device.openConnection(SmartCardConnection::class.java).use {
+                yk.device.openConnection(SmartCardConnection::class.java).use {
                     val session = OpenPgpSession(it)
-                    //session.getData(KeyRef.DEC.fingerprint)
+                    // session.getData(KeyRef.DEC.fingerprint)
                     session.getData(KeyRef.SIG.fingerprint)
 
-
                     listOfNotNull(
                         session.getData(KeyRef.ATT.fingerprint),
                         session.getData(KeyRef.SIG.fingerprint),
                         session.getData(KeyRef.DEC.fingerprint),
-                        session.getData(KeyRef.AUT.fingerprint)
+                        session.getData(KeyRef.AUT.fingerprint))
-                    )
                 }
         }
     }

pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/YubikeyHelper.kt

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
 import com.yubico.yubikit.core.smartcard.SmartCardConnection
@@ -17,9 +21,9 @@ import org.pgpainless.key.OpenPgpFingerprint
 
 class YubikeyHelper(private val api: PGPainless = PGPainless.getInstance()) {
 
-    fun listDevices(
+    fun listDevices(manager: YubiKitManager = YubiKitManager()): List<Yubikey> =
-        manager: YubiKitManager = YubiKitManager()
+        manager
-    ): List<Yubikey> = manager.listAllDevices()
+            .listAllDevices()
             .filter { it.key is CompositeDevice }
             .map { Yubikey(it.value, it.key) }
 
@@ -29,7 +33,8 @@ class YubikeyHelper(private val api: PGPainless = PGPainless.getInstance()) {
         }
     }
 
-    fun moveToYubikey(componentKey: OpenPGPPrivateKey,
+    fun moveToYubikey(
+        componentKey: OpenPGPPrivateKey,
         yubikey: Yubikey,
         adminPin: CharArray,
         keyRef: KeyRef = keyRefForKey(componentKey.publicKey)
@@ -54,7 +59,8 @@ class YubikeyHelper(private val api: PGPainless = PGPainless.getInstance()) {
             key.isSigningKey -> KeyRef.SIG
             key.isEncryptionKey -> KeyRef.DEC
             key.isCertificationKey -> KeyRef.ATT
-            else -> throw KeyException.GeneralKeyException(
+            else ->
+                throw KeyException.GeneralKeyException(
                     "Cannot determine usage for the key.", OpenPgpFingerprint.of(key))
         }
     }

pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/YubikeyKeyGenerator.kt

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
 import com.yubico.yubikit.core.keys.PublicKeyValues
@@ -6,6 +10,7 @@ import com.yubico.yubikit.management.DeviceInfo
 import com.yubico.yubikit.openpgp.KeyRef
 import com.yubico.yubikit.openpgp.OpenPgpCurve
 import com.yubico.yubikit.openpgp.OpenPgpSession
+import java.util.*
 import openpgp.toSecondsPrecision
 import org.bouncycastle.bcpg.PublicSubkeyPacket
 import org.bouncycastle.bcpg.S2K
@@ -22,16 +27,17 @@ import org.gnupg.GnuPGDummyKeyUtil
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.OpenPGPKeyVersion
 import org.pgpainless.algorithm.PublicKeyAlgorithm
-import java.util.*
 
 class YubikeyKeyGenerator(private val api: PGPainless) {
 
     private val converter = JcaPGPKeyConverter().setProvider(BouncyCastleProvider())
 
-    fun generateModernKey(yubikey: Yubikey,
+    fun generateModernKey(
+        yubikey: Yubikey,
         adminPin: CharArray,
         keyVersion: OpenPGPKeyVersion = OpenPGPKeyVersion.v4,
-                          creationTime: Date = Date()): OpenPGPKey {
+        creationTime: Date = Date()
+    ): OpenPGPKey {
         yubikey.device.openConnection(SmartCardConnection::class.java).use {
             val session = OpenPgpSession(it)
             session.verifyAdminPin(adminPin)
@@ -42,25 +48,28 @@ class YubikeyKeyGenerator(private val api: PGPainless) {
             val primarykey = toExternalSecretKey(pubKey, yubikey.info)
 
             pkVal = session.generateEcKey(KeyRef.SIG, OpenPgpCurve.SECP521R1)
-            pubKey = toPGPPublicKey(pkVal, keyVersion, creationTime,PublicKeyAlgorithm.ECDSA)
+            pubKey = toPGPPublicKey(pkVal, keyVersion, creationTime, PublicKeyAlgorithm.ECDSA)
 
             val signingKey = toSecretSubKey(toExternalSecretKey(pubKey, yubikey.info), yubikey.info)
 
             pkVal = session.generateEcKey(KeyRef.DEC, OpenPgpCurve.SECP521R1)
             pubKey = toPGPPublicKey(pkVal, keyVersion, creationTime, PublicKeyAlgorithm.ECDH)
 
-            val encryptionKey = toSecretSubKey(toExternalSecretKey(pubKey, yubikey.info), yubikey.info)
+            val encryptionKey =
+                toSecretSubKey(toExternalSecretKey(pubKey, yubikey.info), yubikey.info)
 
             return OpenPGPKey(PGPSecretKeyRing(listOf(primarykey, signingKey, encryptionKey)))
         }
     }
 
-    private fun toPGPPublicKey(pkVal: PublicKeyValues,
+    private fun toPGPPublicKey(
+        pkVal: PublicKeyValues,
         version: OpenPGPKeyVersion,
         creationTime: Date,
         algorithm: PublicKeyAlgorithm
     ): PGPPublicKey {
-        return converter.getPGPPublicKey(version.numeric,
+        return converter.getPGPPublicKey(
+            version.numeric,
             algorithm.algorithmId,
             null,
             pkVal.toPublicKey(),
@@ -75,10 +84,8 @@ class YubikeyKeyGenerator(private val api: PGPainless) {
                 0xfc,
                 null,
                 null,
-                GnuPGDummyKeyUtil.serialToBytes(deviceInfo.serialNumber!!)
+                GnuPGDummyKeyUtil.serialToBytes(deviceInfo.serialNumber!!)),
-            ),
+            pubkey)
-            pubkey
-        )
     }
 
     private fun toGnuStubbedSecretKey(pubKey: PGPPublicKey, deviceInfo: DeviceInfo): PGPSecretKey {
@@ -89,17 +96,18 @@ class YubikeyKeyGenerator(private val api: PGPainless) {
                 SecretKeyPacket.USAGE_SHA1,
                 S2K.gnuDummyS2K(S2K.GNUDummyParams.divertToCard()),
                 null,
-                GnuPGDummyKeyUtil.serialToBytes(deviceInfo.serialNumber!!)
+                GnuPGDummyKeyUtil.serialToBytes(deviceInfo.serialNumber!!)),
-            ),
             pubKey)
     }
 
     private fun toSecretSubKey(
         key: PGPSecretKey,
         deviceInfo: DeviceInfo,
-        fingerPrintCalculator: KeyFingerPrintCalculator = api.implementation.keyFingerPrintCalculator()
+        fingerPrintCalculator: KeyFingerPrintCalculator =
+            api.implementation.keyFingerPrintCalculator()
     ): PGPSecretKey {
-        val pubSubKey = PGPPublicKey(
+        val pubSubKey =
+            PGPPublicKey(
                 PublicSubkeyPacket(
                     key.publicKey.version,
                     key.publicKey.algorithm,
@@ -114,7 +122,6 @@ class YubikeyKeyGenerator(private val api: PGPainless) {
                 null,
                 null,
                 GnuPGDummyKeyUtil.serialToBytes(deviceInfo.serialNumber!!)),
-            pubSubKey
+            pubSubKey)
-        )
     }
 }

pgpainless-yubikey/src/main/kotlin/org/pgpainless/yubikey/YubikeyPGPContentSignerBuilderProvider.kt

@@ -1,7 +1,12 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
 import com.yubico.yubikit.core.smartcard.SmartCardConnection
 import com.yubico.yubikit.openpgp.OpenPgpSession
+import java.io.OutputStream
 import org.bouncycastle.openpgp.PGPPrivateKey
 import org.bouncycastle.openpgp.PGPPublicKey
 import org.bouncycastle.openpgp.api.OpenPGPImplementation
@@ -10,7 +15,6 @@ import org.bouncycastle.openpgp.operator.PGPContentSignerBuilder
 import org.bouncycastle.openpgp.operator.PGPContentSignerBuilderProvider
 import org.pgpainless.algorithm.HashAlgorithm
 import org.pgpainless.yubikey.YubikeyDataDecryptorFactory.Companion.USER_PIN
-import java.io.OutputStream
 
 class YubikeyPGPContentSignerBuilderProvider(
     val hashAlgorithm: HashAlgorithm,
@@ -18,23 +22,23 @@ class YubikeyPGPContentSignerBuilderProvider(
     private val implementation: OpenPGPImplementation = OpenPGPImplementation.getInstance()
 ) : PGPContentSignerBuilderProvider(hashAlgorithm.algorithmId) {
 
-    private val softwareSignerBuilderProvider = implementation.pgpContentSignerBuilderProvider(hashAlgorithm.algorithmId)
+    private val softwareSignerBuilderProvider =
+        implementation.pgpContentSignerBuilderProvider(hashAlgorithm.algorithmId)
 
     override fun get(publicSigningKey: PGPPublicKey): PGPContentSignerBuilder {
         return object : PGPContentSignerBuilder {
 
-            override fun build(signatureType: Int,
+            override fun build(signatureType: Int, privateKey: PGPPrivateKey?): PGPContentSigner {
-                               privateKey: PGPPrivateKey?
-            ): PGPContentSigner {
                 // Delegate software-based signing keys to the implementations default
                 //  content signer builder provider
-                return softwareSignerBuilderProvider.get(publicSigningKey)
+                return softwareSignerBuilderProvider
+                    .get(publicSigningKey)
                     .build(signatureType, privateKey)
             }
 
-            override fun build(signatureType: Int
+            override fun build(signatureType: Int): PGPContentSigner {
-            ): PGPContentSigner {
+                val digestCalculator =
-                val digestCalculator = implementation.pgpDigestCalculatorProvider().get(hashAlgorithmId)
+                    implementation.pgpDigestCalculatorProvider().get(hashAlgorithmId)
                 val openPgpSession = OpenPgpSession(smartcardConnection)
 
                 // TODO: Move pin authorization somewhere else

pgpainless-yubikey/src/test/kotlin/org/pgpainless/yubikey/YubikeyDecryptionTest.kt

@@ -1,6 +1,9 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
-import com.yubico.yubikit.core.smartcard.SmartCardConnection
 import com.yubico.yubikit.openpgp.KeyRef
 import org.junit.jupiter.api.Assertions.assertEquals
 import org.junit.jupiter.api.Test
@@ -11,7 +14,8 @@ import org.pgpainless.util.Passphrase
 class YubikeyDecryptionTest : YubikeyTest() {
 
     // Complete software key
-    private val KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+    private val KEY =
+        "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Comment: BB2A C3E1 E595 CD05 CFA5  CFE6 EB2E 570D 9EE2 2891\n" +
             "Comment: Alice <alice@pgpainless.org>\n" +
             "\n" +
@@ -50,7 +54,8 @@ class YubikeyDecryptionTest : YubikeyTest() {
             "-----END PGP PRIVATE KEY BLOCK-----"
 
     // Software certificate
-    private val CERT = "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
+    private val CERT =
+        "-----BEGIN PGP PUBLIC KEY BLOCK-----\n" +
             "Comment: BB2A C3E1 E595 CD05 CFA5  CFE6 EB2E 570D 9EE2 2891\n" +
             "Comment: Alice <alice@pgpainless.org>\n" +
             "\n" +
@@ -84,7 +89,8 @@ class YubikeyDecryptionTest : YubikeyTest() {
             "=Oq+Y\n" +
             "-----END PGP PUBLIC KEY BLOCK-----"
 
-    private val MSG = "-----BEGIN PGP MESSAGE-----\n" +
+    private val MSG =
+        "-----BEGIN PGP MESSAGE-----\n" +
             "Version: PGPainless\n" +
             "\n" +
             "wcAQBhUEAh6XCjDVDdDeIypK3dKuQkQmRdESBCMEAV9Lm/I5jEe9t8Mdd7Pmk7S0\n" +
@@ -115,12 +121,16 @@ class YubikeyDecryptionTest : YubikeyTest() {
 
         // TODO: Make hardware decryption transparent as shown below!
 
-        val decIn = api.processMessage()
+        val decIn =
+            api.processMessage()
                 .onInputStream(msgIn)
-            .withOptions(ConsumerOptions.get(api)
+                .withOptions(
+                    ConsumerOptions.get(api)
                         .addHardwareTokenBackend(YubikeyHardwareTokenBackend())
-                .addDecryptionKey(hardwareBasedKey,
+                        .addDecryptionKey(
-                    SecretKeyRingProtector.unlockAnyKeyWith(Passphrase.fromPassword(String(userPin)))))
+                            hardwareBasedKey,
+                            SecretKeyRingProtector.unlockAnyKeyWith(
+                                Passphrase.fromPassword(String(userPin)))))
         val msg = decIn.readAllBytes()
         decIn.close()
         assertEquals("Hello, World!\n", String(msg))

pgpainless-yubikey/src/test/kotlin/org/pgpainless/yubikey/YubikeyHardwareTokenBackendTest.kt

@@ -1,11 +1,13 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
 import org.gnupg.GnuPGDummyKeyUtil
-import org.junit.jupiter.api.Assertions.assertNotNull
 import org.junit.jupiter.api.Assertions.assertTrue
 import org.junit.jupiter.api.Assumptions.assumeTrue
 import org.junit.jupiter.api.Test
-import java.util.Arrays
 
 class YubikeyHardwareTokenBackendTest : YubikeyTest() {
 
@@ -14,13 +16,8 @@ class YubikeyHardwareTokenBackendTest : YubikeyTest() {
     @Test
     fun testListDeviceSerials() {
         val serials = backend.listDeviceSerials()
-        assertTrue(serials.any {
+        assertTrue(
-            it.contentEquals(
+            serials.any { it.contentEquals(GnuPGDummyKeyUtil.serialToBytes(allowedSerialNumber)) })
-                GnuPGDummyKeyUtil.serialToBytes(
-                    allowedSerialNumber
-                )
-            )
-        })
     }
 
     @Test

pgpainless-yubikey/src/test/kotlin/org/pgpainless/yubikey/YubikeyKeyGeneratorTest.kt

@@ -1,18 +1,21 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
+import java.util.*
 import org.junit.jupiter.api.Assertions.assertTrue
 import org.junit.jupiter.api.Test
 import org.pgpainless.PGPainless
 import org.pgpainless.algorithm.OpenPGPKeyVersion
-import java.util.*
 
 class YubikeyKeyGeneratorTest : YubikeyTest() {
 
     @Test
     fun generateKey() {
         val keyGen = YubikeyKeyGenerator(PGPainless.getInstance())
-        val key = keyGen.generateModernKey(
+        val key = keyGen.generateModernKey(yubikey, adminPin, OpenPGPKeyVersion.v4, Date())
-            yubikey, adminPin, OpenPGPKeyVersion.v4, Date())
 
         println(key.toAsciiArmoredString())
         for (subkey in key.secretKeys) {

pgpainless-yubikey/src/test/kotlin/org/pgpainless/yubikey/YubikeySigningTest.kt

@@ -1,6 +1,12 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
 import com.yubico.yubikit.core.smartcard.SmartCardConnection
+import java.io.ByteArrayInputStream
+import java.io.ByteArrayOutputStream
 import org.bouncycastle.openpgp.operator.PGPContentSignerBuilderProvider
 import org.junit.jupiter.api.Assertions.assertTrue
 import org.junit.jupiter.api.Test
@@ -9,12 +15,11 @@ import org.pgpainless.decryption_verification.ConsumerOptions
 import org.pgpainless.encryption_signing.ProducerOptions
 import org.pgpainless.encryption_signing.SigningOptions
 import org.pgpainless.signature.PGPContentSignerBuilderProviderFactory
-import java.io.ByteArrayInputStream
-import java.io.ByteArrayOutputStream
 
 class YubikeySigningTest : YubikeyTest() {
 
-    private val KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
+    private val KEY =
+        "-----BEGIN PGP PRIVATE KEY BLOCK-----\n" +
             "Comment: BB2A C3E1 E595 CD05 CFA5  CFE6 EB2E 570D 9EE2 2891\n" +
             "Comment: Alice <alice@pgpainless.org>\n" +
             "\n" +
@@ -65,17 +70,25 @@ class YubikeySigningTest : YubikeyTest() {
         val msgOut = ByteArrayOutputStream()
         device.openConnection(SmartCardConnection::class.java).use {
             val connection = it
-            val factory = object : PGPContentSignerBuilderProviderFactory {
+            val factory =
-                override fun create(hashAlgorithm: HashAlgorithm): PGPContentSignerBuilderProvider {
+                object : PGPContentSignerBuilderProviderFactory {
+                    override fun create(
+                        hashAlgorithm: HashAlgorithm
+                    ): PGPContentSignerBuilderProvider {
                         return YubikeyPGPContentSignerBuilderProvider(hashAlgorithm, connection)
                     }
                 }
 
-            val sigOut = api
+            val sigOut =
-                .generateMessage()
+                api.generateMessage()
                     .onOutputStream(msgOut)
-                .withOptions(ProducerOptions.sign(SigningOptions.get()
+                    .withOptions(
-                    .addInlineSignature(hardwareBasedSigningKey.signingKeys[0], factory, HashAlgorithm.SHA512)))
+                        ProducerOptions.sign(
+                            SigningOptions.get()
+                                .addInlineSignature(
+                                    hardwareBasedSigningKey.signingKeys[0],
+                                    factory,
+                                    HashAlgorithm.SHA512)))
 
             sigOut.write("Hello, World!".toByteArray())
             sigOut.close()
@@ -84,9 +97,9 @@ class YubikeySigningTest : YubikeyTest() {
 
         api.processMessage()
             .onInputStream(ByteArrayInputStream(msgOut.toByteArray()))
-            .withOptions(ConsumerOptions.get()
+            .withOptions(
-                .addVerificationCert(hardwareBasedSigningKey.toCertificate())
+                ConsumerOptions.get().addVerificationCert(hardwareBasedSigningKey.toCertificate()))
-            ).use {
+            .use {
                 it.readAllBytes()
                 it.close()
                 assertTrue(it.metadata.isVerifiedSigned())

pgpainless-yubikey/src/test/kotlin/org/pgpainless/yubikey/YubikeyTest.kt

@@ -1,9 +1,13 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package org.pgpainless.yubikey
 
+import java.util.Properties
 import org.bouncycastle.openpgp.api.bc.BcOpenPGPImplementation
 import org.opentest4j.TestAbortedException
 import org.pgpainless.PGPainless
-import java.util.Properties
 
 abstract class YubikeyTest() {
 
@@ -21,17 +25,20 @@ abstract class YubikeyTest() {
         }
     }
 
-    open val api: PGPainless = PGPainless(BcOpenPGPImplementation()).apply {
+    open val api: PGPainless =
+        PGPainless(BcOpenPGPImplementation()).apply {
             hardwareTokenBackends.add(YubikeyHardwareTokenBackend())
         }
 
     open val helper: YubikeyHelper = YubikeyHelper(api)
 
-    val yubikey: Yubikey = YubikeyHelper().listDevices().find { it.serialNumber == allowedSerialNumber }
+    val yubikey: Yubikey =
+        YubikeyHelper().listDevices().find { it.serialNumber == allowedSerialNumber }
             ?: throw TestAbortedException("No allowed device found.")
 
     private fun getProperty(properties: Properties, key: String): String {
         return properties.getProperty(key)
-            ?: throw TestAbortedException("Could not find property $key in pgpainless-yubikey/src/test/resources/yubikey.properties")
+            ?: throw TestAbortedException(
+                "Could not find property $key in pgpainless-yubikey/src/test/resources/yubikey.properties")
     }
 }