PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-09-09 18:29:39 +02:00
Code Issues Releases Wiki Activity

Make secret key protection settings customizable via policy

Browse source
This commit is contained in:
Paul Schaub 2025-03-13 16:12:43 +01:00
parent 671dde0de9
commit b1855d0a13
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
4 changed files with 8 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

8
pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt
View file

@ -19,7 +19,6 @@ import org.pgpainless.algorithm.KeyFlag
import org.pgpainless.algorithm.OpenPGPKeyVersion import org.pgpainless.algorithm.OpenPGPKeyVersion
import org.pgpainless.algorithm.SignatureType import org.pgpainless.algorithm.SignatureType
import org.pgpainless.bouncycastle.extensions.unlock import org.pgpainless.bouncycastle.extensions.unlock
import org.pgpainless.key.protection.KeyRingProtectionSettings
import org.pgpainless.policy.Policy import org.pgpainless.policy.Policy
import org.pgpainless.signature.subpackets.SelfSignatureSubpackets import org.pgpainless.signature.subpackets.SelfSignatureSubpackets
import org.pgpainless.signature.subpackets.SignatureSubpackets import org.pgpainless.signature.subpackets.SignatureSubpackets
@ -93,7 +92,7 @@ class KeyRingBuilder(
requireNotNull(primaryKeySpec) { "Primary Key spec required." } requireNotNull(primaryKeySpec) { "Primary Key spec required." }
val certKey = generateKeyPair(primaryKeySpec!!, version) val certKey = generateKeyPair(primaryKeySpec!!, version)
val secretKeyEncryptor = buildSecretKeyEncryptor(certKey.publicKey, false) val secretKeyEncryptor = buildSecretKeyEncryptor(certKey.publicKey)
val secretKeyDecryptor = buildSecretKeyDecryptor() val secretKeyDecryptor = buildSecretKeyDecryptor()
passphrase.clear() // Passphrase was used above, so we can get rid of it passphrase.clear() // Passphrase was used above, so we can get rid of it
@ -229,15 +228,14 @@ class KeyRingBuilder(
private fun buildSecretKeyEncryptor( private fun buildSecretKeyEncryptor(
publicKey: PGPPublicKey, publicKey: PGPPublicKey,
aead: Boolean
): PBESecretKeyEncryptor? { ): PBESecretKeyEncryptor? {
check(passphrase.isValid) { "Passphrase was cleared." } check(passphrase.isValid) { "Passphrase was cleared." }
val protectionSettings = KeyRingProtectionSettings.secureDefaultSettings() val protectionSettings = PGPainless.getPolicy().keyProtectionSettings
return if (passphrase.isEmpty) null return if (passphrase.isEmpty) null
else else
OpenPGPImplementation.getInstance() OpenPGPImplementation.getInstance()
.pbeSecretKeyEncryptorFactory( .pbeSecretKeyEncryptorFactory(
aead, protectionSettings.aead,
protectionSettings.encryptionAlgorithm.algorithmId, protectionSettings.encryptionAlgorithm.algorithmId,
protectionSettings.s2kCount) protectionSettings.s2kCount)
.build(passphrase.getChars(), publicKey.publicKeyPacket) .build(passphrase.getChars(), publicKey.publicKeyPacket)

2
pgpainless-core/src/main/kotlin/org/pgpainless/key/protection/BaseSecretKeyRingProtector.kt
View file

@ -49,7 +49,7 @@ open class BaseSecretKeyRingProtector(
else else
OpenPGPImplementation.getInstance() OpenPGPImplementation.getInstance()
.pbeSecretKeyEncryptorFactory( .pbeSecretKeyEncryptorFactory(
false, protectionSettings.aead,
protectionSettings.encryptionAlgorithm.algorithmId, protectionSettings.encryptionAlgorithm.algorithmId,
protectionSettings.s2kCount) protectionSettings.s2kCount)
.build(it.getChars(), key.publicKeyPacket) .build(it.getChars(), key.publicKeyPacket)

2
pgpainless-core/src/main/kotlin/org/pgpainless/key/util/KeyRingUtils.kt
View file

@ -509,7 +509,7 @@ class KeyRingUtils {
return PGPSecretKey.copyWithNewPassword( return PGPSecretKey.copyWithNewPassword(
secretKey, secretKey,
oldProtector.getDecryptor(secretKey.keyID), oldProtector.getDecryptor(secretKey.keyIdentifier),
newProtector.getEncryptor(secretKey.publicKey)) newProtector.getEncryptor(secretKey.publicKey))
} }

3
pgpainless-core/src/main/kotlin/org/pgpainless/policy/Policy.kt
View file

@ -6,6 +6,7 @@ package org.pgpainless.policy
import java.util.* import java.util.*
import org.pgpainless.algorithm.* import org.pgpainless.algorithm.*
import org.pgpainless.key.protection.KeyRingProtectionSettings
import org.pgpainless.util.DateUtil import org.pgpainless.util.DateUtil
import org.pgpainless.util.NotationRegistry import org.pgpainless.util.NotationRegistry
@ -17,6 +18,7 @@ class Policy(
var symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy, var symmetricKeyDecryptionAlgorithmPolicy: SymmetricKeyAlgorithmPolicy,
var compressionAlgorithmPolicy: CompressionAlgorithmPolicy, var compressionAlgorithmPolicy: CompressionAlgorithmPolicy,
var publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy, var publicKeyAlgorithmPolicy: PublicKeyAlgorithmPolicy,
var keyProtectionSettings: KeyRingProtectionSettings,
var notationRegistry: NotationRegistry var notationRegistry: NotationRegistry
) { ) {
@ -29,6 +31,7 @@ class Policy(
SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022(), SymmetricKeyAlgorithmPolicy.symmetricKeyDecryptionPolicy2022(),
CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy(), CompressionAlgorithmPolicy.anyCompressionAlgorithmPolicy(),
PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy(), PublicKeyAlgorithmPolicy.bsi2021PublicKeyAlgorithmPolicy(),
KeyRingProtectionSettings.secureDefaultSettings(),
NotationRegistry()) NotationRegistry())
var keyGenerationAlgorithmSuite = AlgorithmSuite.defaultAlgorithmSuite var keyGenerationAlgorithmSuite = AlgorithmSuite.defaultAlgorithmSuite