PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-09-09 10:19:39 +02:00
Code Issues Releases Wiki Activity

HardwareSecurity: Replace usage of Long KeyId with KeyIdentifier

Browse source
This commit is contained in:
Paul Schaub 2025-04-08 13:21:11 +02:00
parent f3257d9405
commit c7c3d5b3ab
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
2 changed files with 29 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

27
pgpainless-core/src/main/kotlin/org/pgpainless/decryption_verification/HardwareSecurity.kt
View file

@ -6,6 +6,7 @@ package org.pgpainless.decryption_verification
import kotlin.jvm.Throws
import org.bouncycastle.bcpg.AEADEncDataPacket
import org.bouncycastle.bcpg.KeyIdentifier
import org.bouncycastle.bcpg.SymmetricEncIntegrityPacket
import org.bouncycastle.openpgp.PGPException
import org.bouncycastle.openpgp.PGPSessionKey
@ -33,12 +34,36 @@ class HardwareSecurity {
* @return decrypted session key
* @throws HardwareSecurityException exception
*/
@Deprecated("Pass in a KeyIdentifier instead of a Long keyId.")
@Throws(HardwareSecurityException::class)
fun decryptSessionKey(
keyId: Long,
keyAlgorithm: Int,
sessionKeyData: ByteArray,
pkeskVersion: Int
): ByteArray =
decryptSessionKey(KeyIdentifier(keyId), keyAlgorithm, sessionKeyData, pkeskVersion)
/**
* Delegate decryption of a Public-Key-Encrypted-Session-Key (PKESK) to an external API for
* dealing with hardware security modules such as smartcards or TPMs.
*
* If decryption fails for some reason, a subclass of the [HardwareSecurityException] is
* thrown.
*
* @param keyIdentifier identifier of the encryption component key
* @param keyAlgorithm algorithm
* @param sessionKeyData encrypted session key
* @param pkeskVersion version of the Public-Key-Encrypted-Session-Key packet (3 or 6)
* @return decrypted session key
* @throws HardwareSecurityException exception
*/
@Throws(HardwareSecurityException::class)
fun decryptSessionKey(
keyIdentifier: KeyIdentifier,
keyAlgorithm: Int,
sessionKeyData: ByteArray,
pkeskVersion: Int
): ByteArray
}
@ -84,7 +109,7 @@ class HardwareSecurity {
): ByteArray {
return try {
callback.decryptSessionKey(
subkeyIdentifier.subkeyId, keyAlgorithm, secKeyData[0], pkeskVersion)
subkeyIdentifier.keyIdentifier, keyAlgorithm, secKeyData[0], pkeskVersion)
} catch (e: HardwareSecurityException) {
throw PGPException("Hardware-backed decryption failed.", e)
}

5
pgpainless-core/src/test/java/org/pgpainless/decryption_verification/CustomPublicKeyDataDecryptorFactoryTest.java
View file

@ -4,6 +4,7 @@
package org.pgpainless.decryption_verification;
import org.bouncycastle.bcpg.KeyIdentifier;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.api.OpenPGPCertificate;
import org.bouncycastle.openpgp.api.OpenPGPKey;
@ -52,11 +53,11 @@ public class CustomPublicKeyDataDecryptorFactoryTest {
HardwareSecurity.DecryptionCallback hardwareDecryptionCallback = new HardwareSecurity.DecryptionCallback() {
@Override
public byte[] decryptSessionKey(long keyId, int keyAlgorithm, byte[] sessionKeyData, int pkeskVersion)
public byte[] decryptSessionKey(KeyIdentifier keyIdentifier, int keyAlgorithm, byte[] sessionKeyData, int pkeskVersion)
throws HardwareSecurity.HardwareSecurityException {
// Emulate hardware decryption.
try {
OpenPGPKey.OpenPGPSecretKey decryptionKey = secretKey.getSecretKey(encryptionKey.getKeyIdentifier());
OpenPGPKey.OpenPGPSecretKey decryptionKey = secretKey.getSecretKey(keyIdentifier);
OpenPGPKey.OpenPGPPrivateKey privateKey = UnlockSecretKey.unlockSecretKey(decryptionKey, Passphrase.emptyPassphrase());
PublicKeyDataDecryptorFactory internal = new BcPublicKeyDataDecryptorFactory(privateKey.getKeyPair().getPrivateKey());
return internal.recoverSessionData(keyAlgorithm, new byte[][] {sessionKeyData}, pkeskVersion);