PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2025-09-09 18:29:39 +02:00
Code Issues Releases Wiki Activity

Initial implementation of 'change-key-password' command of SOP-07

Browse source
This commit is contained in:
Paul Schaub 2023-07-12 00:40:59 +02:00
parent 37bbe8bb39
commit d3fe850c95
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
5 changed files with 193 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

99
pgpainless-core/src/main/java/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.java
View file

@ -4,8 +4,21 @@
package org.pgpainless.key.modification.secretkeyring;
import org.bouncycastle.bcpg.S2K;
import org.bouncycastle.bcpg.SecretKeyPacket;
import static org.pgpainless.key.util.KeyRingUtils.changePassphrase;
import static org.pgpainless.util.CollectionUtils.concat;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.bouncycastle.bcpg.sig.KeyExpirationTime;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair;
@ -14,8 +27,6 @@ import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.AlgorithmSuite;
import org.pgpainless.algorithm.CompressionAlgorithm;
@ -35,7 +46,6 @@ import org.pgpainless.key.protection.KeyRingProtectionSettings;
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.key.protection.UnprotectedKeysProtector;
import org.pgpainless.key.protection.fixes.S2KUsageFix;
import org.pgpainless.key.protection.passphrase_provider.SolitaryPassphraseProvider;
import org.pgpainless.key.util.KeyRingUtils;
import org.pgpainless.key.util.RevocationAttributes;
@ -52,22 +62,6 @@ import org.pgpainless.signature.subpackets.SignatureSubpacketsUtil;
import org.pgpainless.util.Passphrase;
import org.pgpainless.util.selection.userid.SelectUserId;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import static org.pgpainless.util.CollectionUtils.concat;
public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
private PGPSecretKeyRing secretKeyRing;
@ -813,67 +807,4 @@ public class SecretKeyRingEditor implements SecretKeyRingEditorInterface {
}
}
private PGPSecretKeyRing changePassphrase(Long keyId,
PGPSecretKeyRing secretKeys,
SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector)
throws PGPException {
List<PGPSecretKey> secretKeyList = new ArrayList<>();
if (keyId == null) {
// change passphrase of whole key ring
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector);
secretKeyList.add(secretKey);
}
} else {
// change passphrase of selected subkey only
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
if (secretKey.getPublicKey().getKeyID() == keyId) {
// Re-encrypt only the selected subkey
secretKey = reencryptPrivateKey(secretKey, oldProtector, newProtector);
}
secretKeyList.add(secretKey);
}
}
PGPSecretKeyRing newRing = new PGPSecretKeyRing(secretKeyList);
newRing = s2kUsageFixIfNecessary(newRing, newProtector);
return newRing;
}
private PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector)
throws PGPException {
boolean hasS2KUsageChecksum = false;
for (PGPSecretKey secKey : secretKeys) {
if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) {
hasS2KUsageChecksum = true;
break;
}
}
if (hasS2KUsageChecksum) {
secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(
secretKeys, protector, true);
}
return secretKeys;
}
private static PGPSecretKey reencryptPrivateKey(
PGPSecretKey secretKey,
SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector)
throws PGPException {
S2K s2k = secretKey.getS2K();
// If the key uses GNU_DUMMY_S2K, we leave it as is and skip this block
if (s2k == null || s2k.getType() != S2K.GNU_DUMMY_S2K) {
long secretKeyId = secretKey.getKeyID();
PBESecretKeyDecryptor decryptor = oldProtector.getDecryptor(secretKeyId);
PBESecretKeyEncryptor encryptor = newProtector.getEncryptor(secretKeyId);
secretKey = PGPSecretKey.copyWithNewPassword(secretKey, decryptor, encryptor);
}
return secretKey;
}
}

71
pgpainless-core/src/main/java/org/pgpainless/key/util/KeyRingUtils.java
View file

@ -14,6 +14,8 @@ import java.util.NoSuchElementException;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.bouncycastle.bcpg.S2K;
import org.bouncycastle.bcpg.SecretKeyPacket;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyRing;
import org.bouncycastle.openpgp.PGPPrivateKey;
@ -25,11 +27,14 @@ import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.PGPSecretKeyRingCollection;
import org.bouncycastle.openpgp.PGPSignature;
import org.bouncycastle.openpgp.PGPUserAttributeSubpacketVector;
import org.bouncycastle.openpgp.operator.PBESecretKeyDecryptor;
import org.bouncycastle.openpgp.operator.PBESecretKeyEncryptor;
import org.bouncycastle.util.Strings;
import org.pgpainless.PGPainless;
import org.pgpainless.implementation.ImplementationFactory;
import org.pgpainless.key.protection.SecretKeyRingProtector;
import org.pgpainless.key.protection.UnlockSecretKey;
import org.pgpainless.key.protection.fixes.S2KUsageFix;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -515,4 +520,70 @@ public final class KeyRingUtils {
}
return userIds;
}
public static PGPSecretKeyRing changePassphrase(Long keyId,
PGPSecretKeyRing secretKeys,
SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector)
throws PGPException {
List<PGPSecretKey> secretKeyList = new ArrayList<>();
if (keyId == null) {
// change passphrase of whole key ring
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
secretKey = KeyRingUtils.reencryptPrivateKey(secretKey, oldProtector, newProtector);
secretKeyList.add(secretKey);
}
} else {
// change passphrase of selected subkey only
Iterator<PGPSecretKey> secretKeyIterator = secretKeys.getSecretKeys();
while (secretKeyIterator.hasNext()) {
PGPSecretKey secretKey = secretKeyIterator.next();
if (secretKey.getPublicKey().getKeyID() == keyId) {
// Re-encrypt only the selected subkey
secretKey = KeyRingUtils.reencryptPrivateKey(secretKey, oldProtector, newProtector);
}
secretKeyList.add(secretKey);
}
}
PGPSecretKeyRing newRing = new PGPSecretKeyRing(secretKeyList);
newRing = s2kUsageFixIfNecessary(newRing, newProtector);
return newRing;
}
public static PGPSecretKey reencryptPrivateKey(
PGPSecretKey secretKey,
SecretKeyRingProtector oldProtector,
SecretKeyRingProtector newProtector)
throws PGPException {
S2K s2k = secretKey.getS2K();
// If the key uses GNU_DUMMY_S2K, we leave it as is and skip this block
if (s2k == null || s2k.getType() != S2K.GNU_DUMMY_S2K) {
long secretKeyId = secretKey.getKeyID();
PBESecretKeyDecryptor decryptor = oldProtector.getDecryptor(secretKeyId);
PBESecretKeyEncryptor encryptor = newProtector.getEncryptor(secretKeyId);
secretKey = PGPSecretKey.copyWithNewPassword(secretKey, decryptor, encryptor);
}
return secretKey;
}
public static PGPSecretKeyRing s2kUsageFixIfNecessary(PGPSecretKeyRing secretKeys, SecretKeyRingProtector protector)
throws PGPException {
boolean hasS2KUsageChecksum = false;
for (PGPSecretKey secKey : secretKeys) {
if (secKey.getS2KUsage() == SecretKeyPacket.USAGE_CHECKSUM) {
hasS2KUsageChecksum = true;
break;
}
}
if (hasS2KUsageChecksum) {
secretKeys = S2KUsageFix.replaceUsageChecksumWithUsageSha1(
secretKeys, protector, true);
}
return secretKeys;
}
}